Prevent negative size in QBitArray, QVector and QVarLengthArray ctors.

As shown in QTBUG-24345, QBitArray will exhibit invalid reads when
initialised with a negative size and run under valgrind.

QVector and QVarLengthArray both cause a crash if initialised with a
negative size.

This patch enforces sizes greater than or equal to 0 with asserts and
existing if statements, and hence impose no performance penalty for
release builds.

Task-number: QTBUG-24345
Task-number: QTBUG-30037

Change-Id: I9a969f6016e0a59904a60bbfe9e5360e6f523b87
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/src/corelib/tools/qvector.h b/src/corelib/tools/qvector.h
index 816e1f15f6..489ee821b9 100644
--- a/src/corelib/tools/qvector.h
+++ b/src/corelib/tools/qvector.h
@@ -398,7 +398,8 @@ QVector<T> &QVector<T>::operator=(const QVector<T> &v)
 template <typename T>
 QVector<T>::QVector(int asize)
 {
-    if (Q_LIKELY(asize)) {
+    Q_ASSERT_X(asize >= 0, "QVector::QVector", "Size must be greater than or equal to 0.");
+    if (Q_LIKELY(asize > 0)) {
         d = Data::allocate(asize);
         d->size = asize;
         defaultConstruct(d->begin(), d->end());
@@ -410,7 +411,8 @@ QVector<T>::QVector(int asize)
 template <typename T>
 QVector<T>::QVector(int asize, const T &t)
 {
-    if (asize) {
+    Q_ASSERT_X(asize >= 0, "QVector::QVector", "Size must be greater than or equal to 0.");
+    if (asize > 0) {
         d = Data::allocate(asize);
         d->size = asize;
         T* i = d->end();