diff options
author | Ulf Hermann <ulf.hermann@digia.com> | 2014-09-19 16:12:24 +0200 |
---|---|---|
committer | Marc Mutz <marc.mutz@kdab.com> | 2014-10-17 10:09:18 +0200 |
commit | 880986be2357a1f80827d038d770dc2f80300201 (patch) | |
tree | 734cf9684d0b7f1cca65fc3e036e30a108d582f6 /src/corelib/tools/qbytearray.cpp | |
parent | 9eb2b25300c21df2abd9b174c1077a377a42fcd1 (diff) |
Check for integer overflows in places where qAllocMore is used
Task-number: QTBUG-41230
Change-Id: I5e932c2540c0bd67f13fab3ae20975d459f82c08
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
Diffstat (limited to 'src/corelib/tools/qbytearray.cpp')
-rw-r--r-- | src/corelib/tools/qbytearray.cpp | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/corelib/tools/qbytearray.cpp b/src/corelib/tools/qbytearray.cpp index a069e441df..f57bcdb424 100644 --- a/src/corelib/tools/qbytearray.cpp +++ b/src/corelib/tools/qbytearray.cpp @@ -123,7 +123,7 @@ int qFindByteArray( int qAllocMore(int alloc, int extra) Q_DECL_NOTHROW { Q_ASSERT(alloc >= 0 && extra >= 0); - Q_ASSERT_X(alloc < (1 << 30) - extra, "qAllocMore", "Requested size is too large!"); + Q_ASSERT_X(alloc <= MaxAllocSize - extra, "qAllocMore", "Requested size is too large!"); unsigned nalloc = qNextPowerOfTwo(alloc + extra); @@ -1545,8 +1545,11 @@ void QByteArray::reallocData(uint alloc, Data::AllocationOptions options) Data::deallocate(d); d = x; } else { - if (options & Data::Grow) + if (options & Data::Grow) { + if (alloc > uint(MaxAllocSize) - uint(sizeof(Data))) + qBadAlloc(); alloc = qAllocMore(alloc, sizeof(Data)); + } Data *x = static_cast<Data *>(::realloc(d, sizeof(Data) + alloc)); Q_CHECK_PTR(x); x->alloc = alloc; |