diff options
| author | Dimitrios Apostolou <jimis@qt.io> | 2022-04-09 00:06:22 +0200 |
|---|---|---|
| committer | Dimitrios Apostolou <jimis@qt.io> | 2022-04-12 00:48:17 +0200 |
| commit | b8677bd31fdb8e0cc897dcd4e39e121baa3e9722 (patch) | |
| tree | 6b3af36f070209602c170db9093925dd66e6b217 /src/gui/util | |
| parent | f9f10857354a0775730595ce1e7a435b62bd1bf9 (diff) | |
Fix use-after-free because QByteArray::data() was copying data
Previously there was a mixture of buf.constData() and buf.data() with
buf not being const QByteArray. As a result, buf.data() returned a
re-allocated buffer and texData was keeping pointers to that one, which
became invalid once the function returned and the re-allocated buffer
was cleaned up by destructor.
Change buf to const QByteArray so that there is no difference between
data() and constData(). Additionally convert all constData() calls to
data() to avoid confusion.
Detected by Address Sanitizer on testcase
tst_qtexturefilereader::checkMetadata()
Pick-to: 6.3 6.2
Change-Id: Idb6f6141898678bf95ed9233a92b7bb3ad12e250
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
Diffstat (limited to 'src/gui/util')
| -rw-r--r-- | src/gui/util/qktxhandler.cpp | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp index e2030e3ff3..c1bf04f3ef 100644 --- a/src/gui/util/qktxhandler.cpp +++ b/src/gui/util/qktxhandler.cpp @@ -126,14 +126,14 @@ QTextureFileData QKtxHandler::read() if (!device()) return QTextureFileData(); - QByteArray buf = device()->readAll(); + const QByteArray buf = device()->readAll(); const quint32 dataSize = quint32(buf.size()); if (dataSize < headerSize || !canRead(QByteArray(), buf)) { qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData()); return QTextureFileData(); } - const KTXHeader *header = reinterpret_cast<const KTXHeader *>(buf.constData()); + const KTXHeader *header = reinterpret_cast<const KTXHeader *>(buf.data()); if (!checkHeader(*header)) { qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData()); return QTextureFileData(); @@ -162,7 +162,7 @@ QTextureFileData QKtxHandler::read() if (offset + sizeof(quint32) > dataSize) // Corrupt file; avoid oob read break; - const quint32 imageSize = decode(qFromUnaligned<quint32>(buf.constData() + offset)); + const quint32 imageSize = decode(qFromUnaligned<quint32>(buf.data() + offset)); offset += sizeof(quint32); for (int face = 0; face < qMin(texData.numFaces(), MAX_ITERATIONS); face++) { |