diff options
author | Thiago Macieira <thiago.macieira@intel.com> | 2020-05-05 11:59:52 -0700 |
---|---|---|
committer | Thiago Macieira <thiago.macieira@intel.com> | 2020-05-07 07:39:26 -0700 |
commit | 798492ccee75a841dfec0e669a409515f3462350 (patch) | |
tree | 3e278d7580106e7bcd29fb027979138bd8a3f89e /tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp | |
parent | 66908badaca7bd258c00103bc388f0ce3bcf7322 (diff) |
QCborValue: catch overflow in QByteArray when decoding chunked strings
We checked against integer overflow, but not against overflowing the
QByteArray size limit. That caused a std::bad_alloc to be thrown, which
is bad when decoding unknown data. QCborStreamReader wasn't affected,
since it doesn't merge chunks.
Change-Id: I99ab0f318b1c43b89888fffd160c36f495fada87
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Diffstat (limited to 'tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp')
-rw-r--r-- | tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp index 9c1341e252..1379cc348d 100644 --- a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp +++ b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp @@ -1926,11 +1926,24 @@ void tst_QCborValue::validation_data() // Add QCborStreamReader-specific limitations due to use of QByteArray and // QString, which are allocated by QArrayData::allocate(). const qsizetype MaxInvalid = std::numeric_limits<QByteArray::size_type>::max(); - const qsizetype MinInvalid = MaxByteArraySize + 1; + const qsizetype MinInvalid = MaxByteArraySize + 1 - sizeof(QByteArray::size_type); addValidationColumns(); addValidationData(MinInvalid); addValidationLargeData(MinInvalid, MaxInvalid); + // Chunked strings whose total overflows the limit, but each individual + // chunk doesn't. 0x5a for 32-bit, 0x5b for 64-bit. + char toolong[1 + sizeof(qsizetype)]; + toolong[0] = sizeof(MinInvalid) > 4 ? 0x5b : 0x5a; + qToBigEndian(MinInvalid - 1, toolong + 1); + QTest::addRow("bytearray-2chunked+1-too-big-for-qbytearray-%llx", MinInvalid) + << ("\x5f\x41z" + QByteArray(toolong, sizeof(toolong)) + '\xff') + << 0 << CborErrorDataTooLarge; + toolong[0] |= 0x20; + QTest::addRow("string-2chunked+1-too-big-for-qbytearray-%llx", MinInvalid) + << ("\x7f\x61z" + QByteArray(toolong, sizeof(toolong)) + '\xff') + << 0 << CborErrorDataTooLarge; + // These tests say we have arrays and maps with very large item counts. // They are meant to ensure we don't pre-allocate a lot of memory // unnecessarily and possibly crash the application. The actual number of |