QByteArray: fix UB (precondition violation) in replace()

If after.isNull(), then we called memcpy with a nullptr, which is UB, even if the size is zero, too. memmove() has the same precondition. Fix by guarding the memcpy() call with an explicit length check. The Qt 5.15 code is sufficiently different to not attempt to pick there. Pick-to: 6.3 6.2 Change-Id: I86a2f00ede6ca8fab8d4222f84dccf375c4a2194 Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io> Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
author: Marc Mutz <marc.mutz@qt.io> 2021-12-16 10:00:47 +0100
committer: Marc Mutz <marc.mutz@qt.io> 2021-12-17 12:34:27 +0100
commit: c31fecd27fa1ca0bebc96d39ca01ff86578f8d7f (patch)
tree: e600310bbf51ec62c6ad952c197b7510ec4ce169 /src
parent: 0c39e5c76d5a04b1e710d9038332dc21ad323bab (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/src/corelib/text/qbytearray.cpp b/src/corelib/text/qbytearray.cpp
index 7562548bad..a03462561f 100644
--- a/src/corelib/text/qbytearray.cpp
+++ b/src/corelib/text/qbytearray.cpp
@@ -2169,8 +2169,10 @@ QByteArray &QByteArray::replace(qsizetype pos, qsizetype len, QByteArrayView aft
         return replace(pos, len, QByteArrayView{copy});
     }
     if (len == after.size() && (pos + len <= size())) {
+        // same size: in-place replacement possible
         detach();
-        memcpy(d.data() + pos, after.data(), len*sizeof(char));
+        if (len > 0)
+            memcpy(d.data() + pos, after.data(), len*sizeof(char));
         return *this;
     } else {
         // ### optimize me
author	Marc Mutz <marc.mutz@qt.io>	2021-12-16 10:00:47 +0100
committer	Marc Mutz <marc.mutz@qt.io>	2021-12-17 12:34:27 +0100
commit	c31fecd27fa1ca0bebc96d39ca01ff86578f8d7f (patch)
tree	e600310bbf51ec62c6ad952c197b7510ec4ce169 /src
parent	0c39e5c76d5a04b1e710d9038332dc21ad323bab (diff)