summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJüri Valdmann <juri.valdmann@qt.io>2018-05-03 13:25:06 +0200
committerJüri Valdmann <juri.valdmann@qt.io>2018-05-04 11:53:03 +0000
commitd3935cbd71171e1d8f3742cc3235ca0c38313ec8 (patch)
tree552de4567a83abb647be4875af1531fe9dfca6a2 /src
parentde40f24706d0f3c4cc13900380aacc90d6879356 (diff)
QJsonDocument::fromRawData: Fix out-of-bounds access
This method takes a pointer+size pair, but begins reading through the pointer without first checking the size parameter. Fixed by checking the size parameter. A new test case is added with an empty binary json file. Although the test does not fail under normal conditions, the problem can be detected using valgrind or AddressSanitizer. Task-number: QTBUG-61969 Change-Id: Ie91cc9a56dbc3c676472c614d4e633d7721b8481 Reviewed-by: Lars Knoll <lars.knoll@qt.io> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src')
-rw-r--r--src/corelib/serialization/qjson_p.h2
-rw-r--r--src/corelib/serialization/qjsondocument.cpp3
2 files changed, 4 insertions, 1 deletions
diff --git a/src/corelib/serialization/qjson_p.h b/src/corelib/serialization/qjson_p.h
index 7743382806..dc56a49084 100644
--- a/src/corelib/serialization/qjson_p.h
+++ b/src/corelib/serialization/qjson_p.h
@@ -450,7 +450,7 @@ static inline void copyString(char *dest, const QString &str, bool compress)
/*
- Base is the base class for both Object and Array. Both classe work more or less the same way.
+ Base is the base class for both Object and Array. Both classes work more or less the same way.
The class starts with a header (defined by the struct below), then followed by data (the data for
values in the Array case and Entry's (see below) for objects.
diff --git a/src/corelib/serialization/qjsondocument.cpp b/src/corelib/serialization/qjsondocument.cpp
index 9794bca60d..ab27b45fda 100644
--- a/src/corelib/serialization/qjsondocument.cpp
+++ b/src/corelib/serialization/qjsondocument.cpp
@@ -210,6 +210,9 @@ QJsonDocument QJsonDocument::fromRawData(const char *data, int size, DataValidat
return QJsonDocument();
}
+ if (size < (int)(sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base)))
+ return QJsonDocument();
+
QJsonPrivate::Data *d = new QJsonPrivate::Data((char *)data, size);
d->ownsData = false;