diff options
| author | Marc Mutz <marc.mutz@kdab.com> | 2017-12-14 14:14:50 +0100 |
|---|---|---|
| committer | Eric Lemanissier <eric.lemanissier@gmail.com> | 2018-10-08 16:18:53 +0000 |
| commit | 8e5a2f63c3f6ee49d3f2e1985bf73de7769b0e72 (patch) | |
| tree | 5bd800e1e3a842af8cb9e54a4d7be3f5927a9342 /src/corelib/tools | |
| parent | 55d640483c1100d9340418c3fb96390087f5e7c4 (diff) | |
Fix UB (invalid pointer comparison) in QList, QVector, QVLA
QList, QVector and QVarLengthArray check the validity of iterators
passed to member functions using isValidIterator(), which checks that
the underlying pointers are in the range [begin, end]. This check is
well-defined when the outcome is positive, ie. when the iterator is
valid. But if the iterator is not valid, and does not happen to point
into [end, begin + capacity], the comparison, which uses normal
operator<, invokes UB.
Fix by using std::less<T*>, which defines a total ordering.
Change-Id: I1e5757789b4b9779f5e3e298e7f2b2dd0b27576c
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src/corelib/tools')
| -rw-r--r-- | src/corelib/tools/qlist.h | 3 | ||||
| -rw-r--r-- | src/corelib/tools/qvarlengtharray.h | 3 | ||||
| -rw-r--r-- | src/corelib/tools/qvector.h | 3 |
3 files changed, 6 insertions, 3 deletions
diff --git a/src/corelib/tools/qlist.h b/src/corelib/tools/qlist.h index c00220ad3a..49ccbc9c9f 100644 --- a/src/corelib/tools/qlist.h +++ b/src/corelib/tools/qlist.h @@ -413,7 +413,8 @@ private: bool isValidIterator(const iterator &i) const Q_DECL_NOTHROW { - return (constBegin().i <= i.i) && (i.i <= constEnd().i); + const std::less<const Node *> less = {}; + return !less(i.i, cbegin().i) && !less(cend().i, i.i); } private: diff --git a/src/corelib/tools/qvarlengtharray.h b/src/corelib/tools/qvarlengtharray.h index b74b1fd123..597e7464cb 100644 --- a/src/corelib/tools/qvarlengtharray.h +++ b/src/corelib/tools/qvarlengtharray.h @@ -254,7 +254,8 @@ private: bool isValidIterator(const const_iterator &i) const { - return (i <= constEnd()) && (constBegin() <= i); + const std::less<const T*> less = {}; + return !less(cend(), i) && !less(i, cbegin()); } }; diff --git a/src/corelib/tools/qvector.h b/src/corelib/tools/qvector.h index 345ba4b097..30fd7b2865 100644 --- a/src/corelib/tools/qvector.h +++ b/src/corelib/tools/qvector.h @@ -306,7 +306,8 @@ private: void destruct(T *from, T *to); bool isValidIterator(const iterator &i) const { - return (i <= d->end()) && (d->begin() <= i); + const std::less<const T*> less = {}; + return !less(d->end(), i) && !less(i, d->begin()); } class AlignmentDummy { Data header; T array[1]; }; }; |