diff options
author | Jüri Valdmann <juri.valdmann@qt.io> | 2018-05-03 13:25:06 +0200 |
---|---|---|
committer | Jüri Valdmann <juri.valdmann@qt.io> | 2018-05-04 11:53:03 +0000 |
commit | d3935cbd71171e1d8f3742cc3235ca0c38313ec8 (patch) | |
tree | 552de4567a83abb647be4875af1531fe9dfca6a2 /src | |
parent | de40f24706d0f3c4cc13900380aacc90d6879356 (diff) |
QJsonDocument::fromRawData: Fix out-of-bounds access
This method takes a pointer+size pair, but begins reading through the pointer
without first checking the size parameter. Fixed by checking the size parameter.
A new test case is added with an empty binary json file. Although the test does
not fail under normal conditions, the problem can be detected using valgrind or
AddressSanitizer.
Task-number: QTBUG-61969
Change-Id: Ie91cc9a56dbc3c676472c614d4e633d7721b8481
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/corelib/serialization/qjson_p.h | 2 | ||||
-rw-r--r-- | src/corelib/serialization/qjsondocument.cpp | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/src/corelib/serialization/qjson_p.h b/src/corelib/serialization/qjson_p.h index 7743382806..dc56a49084 100644 --- a/src/corelib/serialization/qjson_p.h +++ b/src/corelib/serialization/qjson_p.h @@ -450,7 +450,7 @@ static inline void copyString(char *dest, const QString &str, bool compress) /* - Base is the base class for both Object and Array. Both classe work more or less the same way. + Base is the base class for both Object and Array. Both classes work more or less the same way. The class starts with a header (defined by the struct below), then followed by data (the data for values in the Array case and Entry's (see below) for objects. diff --git a/src/corelib/serialization/qjsondocument.cpp b/src/corelib/serialization/qjsondocument.cpp index 9794bca60d..ab27b45fda 100644 --- a/src/corelib/serialization/qjsondocument.cpp +++ b/src/corelib/serialization/qjsondocument.cpp @@ -210,6 +210,9 @@ QJsonDocument QJsonDocument::fromRawData(const char *data, int size, DataValidat return QJsonDocument(); } + if (size < (int)(sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base))) + return QJsonDocument(); + QJsonPrivate::Data *d = new QJsonPrivate::Data((char *)data, size); d->ownsData = false; |