diff options
| author | Thiago Macieira <thiago.macieira@intel.com> | 2016-04-26 14:56:32 -0700 |
|---|---|---|
| committer | Thiago Macieira <thiago.macieira@intel.com> | 2016-04-28 02:45:37 +0000 |
| commit | ef7b0df4192b390c70a5e848bbe7c397daaefcce (patch) | |
| tree | 790044361906917222d7894c076560b0d72bcc6f /src/corelib | |
| parent | f1958dbbead8843a96b1b59de59d8db340e0196b (diff) | |
Fix QArrayData::allocate() to guard against integer overflows
The proper solution with qCalculateBlockSize will come for Qt 5.7.
Change-Id: Ifea6e497f11a461db432ffff14490788fc522eb7
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
Diffstat (limited to 'src/corelib')
| -rw-r--r-- | src/corelib/tools/qarraydata.cpp | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/corelib/tools/qarraydata.cpp b/src/corelib/tools/qarraydata.cpp index d9519745b0..fa6556f7d9 100644 --- a/src/corelib/tools/qarraydata.cpp +++ b/src/corelib/tools/qarraydata.cpp @@ -32,6 +32,7 @@ ****************************************************************************/ #include <QtCore/qarraydata.h> +#include <QtCore/private/qnumeric_p.h> #include <QtCore/private/qtools_p.h> #include <stdlib.h> @@ -87,16 +88,22 @@ QArrayData *QArrayData::allocate(size_t objectSize, size_t alignment, if (capacity > std::numeric_limits<size_t>::max() / objectSize) return 0; - size_t alloc = objectSize * capacity; + size_t alloc; + if (mul_overflow(objectSize, capacity, &alloc)) + return 0; - // Make sure qAllocMore won't overflow. + // Make sure qAllocMore won't overflow qAllocMore. if (headerSize > size_t(MaxAllocSize) || alloc > size_t(MaxAllocSize) - headerSize) return 0; capacity = qAllocMore(int(alloc), int(headerSize)) / int(objectSize); } - size_t allocSize = headerSize + objectSize * capacity; + size_t allocSize; + if (mul_overflow(objectSize, capacity, &allocSize)) + return 0; + if (add_overflow(allocSize, headerSize, &allocSize)) + return 0; QArrayData *header = static_cast<QArrayData *>(::malloc(allocSize)); if (header) { |