Prevent negative size in QBitArray, QVector and QVarLengthArray ctors.

As shown in QTBUG-24345, QBitArray will exhibit invalid reads when initialised with a negative size and run under valgrind. QVector and QVarLengthArray both cause a crash if initialised with a negative size. This patch enforces sizes greater than or equal to 0 with asserts and existing if statements, and hence impose no performance penalty for release builds. Task-number: QTBUG-24345 Task-number: QTBUG-30037 Change-Id: I9a969f6016e0a59904a60bbfe9e5360e6f523b87 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
author: Mitch Curtis <mitch.curtis@digia.com> 2013-05-30 14:51:18 +0200
committer: The Qt Project <gerrit-noreply@qt-project.org> 2013-06-05 10:46:51 +0200
commit: 9aa24645eb09be9e1d05060b2d976327726cb747 (patch)
tree: 2e692b3b006240a554425f310d00324f894a5241 /src/corelib
parent: f36374727e5445cdab489a27605c35d1c4515317 (diff)
3 files changed, 8 insertions, 3 deletions
diff --git a/src/corelib/tools/qbitarray.cpp b/src/corelib/tools/qbitarray.cpp
index 2b459b2b1b..b04c4f9c3d 100644
--- a/src/corelib/tools/qbitarray.cpp
+++ b/src/corelib/tools/qbitarray.cpp
@@ -122,7 +122,8 @@ QT_BEGIN_NAMESPACE
 */
 QBitArray::QBitArray(int size, bool value)
 {
-    if (!size) {
+    Q_ASSERT_X(size >= 0, "QBitArray::QBitArray", "Size must be greater than or equal to 0.");
+    if (size <= 0) {
         d.resize(0);
         return;
     }
diff --git a/src/corelib/tools/qvarlengtharray.h b/src/corelib/tools/qvarlengtharray.h
index 3a2028057d..825e05ae1b 100644
--- a/src/corelib/tools/qvarlengtharray.h
+++ b/src/corelib/tools/qvarlengtharray.h
@@ -197,6 +197,8 @@ private:
 template <class T, int Prealloc>
 Q_INLINE_TEMPLATE QVarLengthArray<T, Prealloc>::QVarLengthArray(int asize)
     : s(asize) {
+    Q_STATIC_ASSERT_X(Prealloc > 0, "QVarLengthArray Prealloc must be greater than 0.");
+    Q_ASSERT_X(s >= 0, "QVarLengthArray::QVarLengthArray()", "Size must be greater than or equal to 0.");
     if (s > Prealloc) {
         ptr = reinterpret_cast<T *>(malloc(s * sizeof(T)));
         Q_CHECK_PTR(ptr);
diff --git a/src/corelib/tools/qvector.h b/src/corelib/tools/qvector.h
index 816e1f15f6..489ee821b9 100644
--- a/src/corelib/tools/qvector.h
+++ b/src/corelib/tools/qvector.h
@@ -398,7 +398,8 @@ QVector<T> &QVector<T>::operator=(const QVector<T> &v)
 template <typename T>
 QVector<T>::QVector(int asize)
 {
-    if (Q_LIKELY(asize)) {
+    Q_ASSERT_X(asize >= 0, "QVector::QVector", "Size must be greater than or equal to 0.");
+    if (Q_LIKELY(asize > 0)) {
         d = Data::allocate(asize);
         d->size = asize;
         defaultConstruct(d->begin(), d->end());
@@ -410,7 +411,8 @@ QVector<T>::QVector(int asize)
 template <typename T>
 QVector<T>::QVector(int asize, const T &t)
 {
-    if (asize) {
+    Q_ASSERT_X(asize >= 0, "QVector::QVector", "Size must be greater than or equal to 0.");
+    if (asize > 0) {
         d = Data::allocate(asize);
         d->size = asize;
         T* i = d->end();
author	Mitch Curtis <mitch.curtis@digia.com>	2013-05-30 14:51:18 +0200
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-06-05 10:46:51 +0200
commit	9aa24645eb09be9e1d05060b2d976327726cb747 (patch)
tree	2e692b3b006240a554425f310d00324f894a5241 /src/corelib
parent	f36374727e5445cdab489a27605c35d1c4515317 (diff)