QDateTime: Fix clearing the ShortData flag in setMSecsSinceEpoch

Unlike setTimeSpec, this forgot to clear the bit when detaching. So it's
possible that some further use of the flags could incorrectly conclude
that the data was short and then proceed to corrupt the pointer.

The example from QTBUG-59061 caused this because toUTC() -> toTimeSpec()
calls setMSecsSinceEpoch which left the bit set; then addDays() calls
setDateTime(), which calls checkValidDateTime() and that corrupted the
pointer. This problem was more visible on 32-bit systems because no
QDateTime was short (except for default constructed ones), but it
can happen on 64-bit with sufficiently large dates.

Task-number: QTBUG-59061
Change-Id: Ibc5c715fda334a75bd2efffd14a562a375a4e69b
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>

1 files changed, 4 insertions, 1 deletions

diff --git a/src/corelib/tools/qdatetime.cpp b/src/corelib/tools/qdatetime.cpp
index a642358770..bf92be2dd4 100644
--- a/src/corelib/tools/qdatetime.cpp
+++ b/src/corelib/tools/qdatetime.cpp
@@ -2842,6 +2842,9 @@ inline bool QDateTime::Data::isShort() const
 {
     bool b = quintptr(d) & QDateTimePrivate::ShortData;
 
+    // sanity check:
+    Q_ASSERT(b || (d->m_status & QDateTimePrivate::ShortData) == 0);
+
     // even if CanBeSmall = false, we have short data for a default-constructed
     // QDateTime object. But it's unlikely.
     if (CanBeSmall)
@@ -3658,7 +3661,7 @@ void QDateTime::setMSecsSinceEpoch(qint64 msecs)
         d.data.status = status;
     } else {
         d.detach();
-        d->m_status = status;
+        d->m_status = status & ~QDateTimePrivate::ShortData;
         d->m_msecs = msecs;
     }