diff options
author | Marc Mutz <marc.mutz@kdab.com> | 2016-01-06 10:36:41 +0100 |
---|---|---|
committer | Marc Mutz <marc.mutz@kdab.com> | 2016-01-13 05:42:35 +0000 |
commit | 61169b72c24b336af23702fda1e86d1d1c2c8095 (patch) | |
tree | 182bdc242bcc3dd85767190250dc8d4d3f11c171 /src/corelib | |
parent | 13189360e50a429ee43ce927c29ebcd3948619b7 (diff) |
Fix UB in QIODevicePrivate
Passing nullptr as the second argument of memcpy/memmove
constitutes undefined behavior, even if the length argument
is zero at the same time.
Fix by protecting mem{cpy,move,chr} from nullptrs.
Found by UBSan:
qtbase/src/corelib/io/qiodevice_p.h:105:33: runtime error: null pointer passed as argument 2, which is declared to never be null
qtbase/src/corelib/io/qiodevice_p.h:175:53: runtime error: null pointer passed as argument 2, which is declared to never be null
Change-Id: I979158b0a74169ca4eb459928398ebc40f77dfb5
Reviewed-by: Alex Trotsenko <alex1973tr@gmail.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src/corelib')
-rw-r--r-- | src/corelib/io/qiodevice_p.h | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/src/corelib/io/qiodevice_p.h b/src/corelib/io/qiodevice_p.h index f4cf387eb5..8342176cff 100644 --- a/src/corelib/io/qiodevice_p.h +++ b/src/corelib/io/qiodevice_p.h @@ -102,14 +102,17 @@ public: } qint64 read(char* target, qint64 size) { qint64 r = qMin(size, len); - memcpy(target, first, r); - len -= r; - first += r; + if (r) { + memcpy(target, first, r); + len -= r; + first += r; + } return r; } qint64 peek(char* target, qint64 size) { qint64 r = qMin(size, len); - memcpy(target, first, r); + if (r) + memcpy(target, first, r); return r; } char* reserve(qint64 size) { @@ -141,7 +144,7 @@ public: return r; } bool canReadLine() const { - return memchr(first, '\n', len); + return first && memchr(first, '\n', len); } void ungetChar(char c) { if (first == buf) { @@ -172,7 +175,8 @@ private: if (newCapacity > capacity) { // allocate more space char* newBuf = new char[newCapacity]; - memmove(newBuf + moveOffset, first, len); + if (first) + memmove(newBuf + moveOffset, first, len); delete [] buf; buf = newBuf; capacity = newCapacity; |