7 files changed, 52 insertions, 23 deletions

diff --git a/dist/changes-5.15.0 b/dist/changes-5.15.0
index f8e2330311..c42ff4b84d 100644
--- a/dist/changes-5.15.0
+++ b/dist/changes-5.15.0
@@ -46,23 +46,21 @@ information about a particular change.
  - QtNetwork:
    * QNetworkConfigurationManager, QNetworkConfiguration and QNetworkSession
      are deprecated, to be removed in Qt 6.
+   * QNetworkAccessManager::activeConfiguration, configuration and
+     setConfiguration are deprecated, to be removed in Qt 6.
+   * QNetworkAccessManager::networkAccessible, setNetworkAccessible and
+     the NetworkAccessibility enum are deprecated, to be removed in Qt 6.
+   * QLocalSocket::error() (the signal) is deprecated; superseded by
+     errorOccurred()
+   * QAbstractSocket::error() (the signal) is deprecated; superseded by
+     errorOccurred()
+   * QNetworkReply::error() (the signal) is deprecated; superseded by
+     errorOccurred()
+   * [QTBUG-80369] QSslSocket::sslErrors() (the getter) was deprecated and
+     superseded by sslHandshakeErrors()
 
- - [REVERTED] [QTBUG-80369] QAbstractSocket::error() (the getter) is
-   deprecated; superseded by socketError().
- - [REVERTED] [QTBUG-80369] QLocalSocket::error() (the getter) is
-   deprecated; superseded by socketError().
- - [QTBUG-80369] QSslSocket::sslErrors() (the getter) was deprecated and
-   superseded by sslHandshakeErrors()
- - [REVERTED] [QTBUG-80369] QNetworkReply::error() (the getter) was
-   deprecated; superseded by networkError().
  - [QTBUG-81630][QTBUG-80312] QLinkedList is deprecated and will be moved
    to Qt5Compat in Qt 6. It is recommended to use std::list instead.
- - QLocalSocket::error() (the signal) is deprecated; superseded by
-   errorOccurred()
- - QAbstractSocket::error() (the signal) is deprecated; superseded by
-   errorOccurred()
- - QNetworkReply::error() (the signal) is deprecated; superseded by
-   errorOccurred()
 
 See also the various sections below, which include many more deprecations.
 
diff --git a/mkspecs/features/qt.prf b/mkspecs/features/qt.prf
index 6fe0059bf7..99b7fe6562 100644
--- a/mkspecs/features/qt.prf
+++ b/mkspecs/features/qt.prf
@@ -293,7 +293,7 @@ contains(all_qt_module_deps, qml): \
 
     !isEmpty(SCANNERRESOURCES) {
         IMPORTPATHS += -qrcFiles
-        for (RESOURCE, SCANNERRESOURCES)
+        for (RESOURCE, SCANNERRESOURCES): \
             IMPORTPATHS += $$absolute_path($$system_quote($$RESOURCE), $$_PRO_FILE_PWD_)
     }
 
diff --git a/src/corelib/io/qstandardpaths_win.cpp b/src/corelib/io/qstandardpaths_win.cpp
index 5055f4020c..cbe4ccd0b2 100644
--- a/src/corelib/io/qstandardpaths_win.cpp
+++ b/src/corelib/io/qstandardpaths_win.cpp
@@ -47,6 +47,7 @@
 #include <qcoreapplication.h>
 #endif
 
+#include <qoperatingsystemversion.h>
 #include <qt_windows.h>
 #include <shlobj.h>
 #include <intshcut.h>
@@ -99,7 +100,11 @@ static bool isProcessLowIntegrity() {
     // Disable function until Qt CI is updated
     return false;
 #else
-    HANDLE process_token = GetCurrentProcessToken(); // non-leaking pseudo-handle
+    if (QOperatingSystemVersion::current() < QOperatingSystemVersion::Windows8)
+        return false;
+    // non-leaking pseudo-handle. Expanded inline function GetCurrentProcessToken()
+    // (was made an inline function in Windows 8).
+    const auto process_token = HANDLE(quintptr(-4));
 
     QVarLengthArray<char,256> token_info_buf(256);
     auto* token_info = reinterpret_cast<TOKEN_MANDATORY_LABEL*>(token_info_buf.data());
diff --git a/src/corelib/serialization/qcborvalue.cpp b/src/corelib/serialization/qcborvalue.cpp
index 3bca15d562..89a928d348 100644
--- a/src/corelib/serialization/qcborvalue.cpp
+++ b/src/corelib/serialization/qcborvalue.cpp
@@ -1636,7 +1636,7 @@ void QCborContainerPrivate::decodeStringFromCbor(QCborStreamReader &reader)
         if (len == rawlen) {
             auto oldSize = data.size();
             auto newSize = oldSize;
-            if (!add_overflow(newSize, len, &newSize)) {
+            if (!add_overflow(newSize, len, &newSize) && newSize < MaxByteArraySize) {
                 if (newSize != oldSize)
                     data.resize(newSize);
 
diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp
index 2b5cd58fb1..b7c8e8f824 100644
--- a/src/gui/painting/qicc.cpp
+++ b/src/gui/painting/qicc.cpp
@@ -225,7 +225,7 @@ static bool isValidIccProfile(const ICCProfileHeader &header)
     }
 
     // Don't overflow 32bit integers:
-    if (header.tagCount >= INT32_MAX / sizeof(TagTableEntry)) {
+    if (header.tagCount >= (INT32_MAX - sizeof(ICCProfileHeader)) / sizeof(TagTableEntry)) {
         qCWarning(lcIcc, "Failed tag count sanity");
         return false;
     }
@@ -629,6 +629,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
     // Read tag index
     const TagTableEntry *tagTable = (const TagTableEntry *)(data.constData() + sizeof(ICCProfileHeader));
     const qsizetype offsetToData = sizeof(ICCProfileHeader) + header->tagCount * sizeof(TagTableEntry);
+    Q_ASSERT(offsetToData > 0);
     if (offsetToData > data.size()) {
         qCWarning(lcIcc) << "fromIccProfile: failed index size sanity";
         return false;
diff --git a/tests/auto/corelib/serialization/cborlargedatavalidation.cpp b/tests/auto/corelib/serialization/cborlargedatavalidation.cpp
index 9abfe0f575..f3b6893957 100644
--- a/tests/auto/corelib/serialization/cborlargedatavalidation.cpp
+++ b/tests/auto/corelib/serialization/cborlargedatavalidation.cpp
@@ -81,19 +81,31 @@ qint64 LargeIODevice::readData(char *data, qint64 maxlen)
 
 void addValidationLargeData(qsizetype minInvalid, qsizetype maxInvalid)
 {
-    char toolong[2 + sizeof(qsizetype)] = { char(0x81) };
+    char toolong[1 + sizeof(qsizetype)];
     for (qsizetype v = maxInvalid; v >= minInvalid; --v) {
         // 0x5a for 32-bit, 0x5b for 64-bit
-        toolong[1] = sizeof(v) > 4 ? 0x5b : 0x5a;
-        qToBigEndian(v, toolong + 2);
+        toolong[0] = sizeof(v) > 4 ? 0x5b : 0x5a;
+        qToBigEndian(v, toolong + 1);
 
         QTest::addRow("bytearray-too-big-for-qbytearray-%llx", v)
                 << QByteArray(toolong, sizeof(toolong)) << 0 << CborErrorDataTooLarge;
-        toolong[1] |= 0x20;
+        QTest::addRow("bytearray-chunked-too-big-for-qbytearray-%llx", v)
+                << ('\x5f' + QByteArray(toolong, sizeof(toolong)) + '\xff')
+                << 0 << CborErrorDataTooLarge;
+        QTest::addRow("bytearray-2chunked-too-big-for-qbytearray-%llx", v)
+                << ("\x5f\x40" + QByteArray(toolong, sizeof(toolong)) + '\xff')
+                << 0 << CborErrorDataTooLarge;
+        toolong[0] |= 0x20;
 
         // QCborStreamReader::readString copies to a QByteArray first
         QTest::addRow("string-too-big-for-qbytearray-%llx", v)
                 << QByteArray(toolong, sizeof(toolong)) << 0 << CborErrorDataTooLarge;
+        QTest::addRow("string-chunked-too-big-for-qbytearray-%llx", v)
+                << ('\x7f' + QByteArray(toolong, sizeof(toolong)) + '\xff')
+                << 0 << CborErrorDataTooLarge;
+        QTest::addRow("string-2chunked-too-big-for-qbytearray-%llx", v)
+                << ("\x7f\x60" + QByteArray(toolong, sizeof(toolong)) + '\xff')
+                << 0 << CborErrorDataTooLarge;
     }
 }
 
diff --git a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp
index 9c1341e252..1379cc348d 100644
--- a/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp
+++ b/tests/auto/corelib/serialization/qcborvalue/tst_qcborvalue.cpp
@@ -1926,11 +1926,24 @@ void tst_QCborValue::validation_data()
     // Add QCborStreamReader-specific limitations due to use of QByteArray and
     // QString, which are allocated by QArrayData::allocate().
     const qsizetype MaxInvalid = std::numeric_limits<QByteArray::size_type>::max();
-    const qsizetype MinInvalid = MaxByteArraySize + 1;
+    const qsizetype MinInvalid = MaxByteArraySize + 1 - sizeof(QByteArray::size_type);
     addValidationColumns();
     addValidationData(MinInvalid);
     addValidationLargeData(MinInvalid, MaxInvalid);
 
+    // Chunked strings whose total overflows the limit, but each individual
+    // chunk doesn't. 0x5a for 32-bit, 0x5b for 64-bit.
+    char toolong[1 + sizeof(qsizetype)];
+    toolong[0] = sizeof(MinInvalid) > 4 ? 0x5b : 0x5a;
+    qToBigEndian(MinInvalid - 1, toolong + 1);
+    QTest::addRow("bytearray-2chunked+1-too-big-for-qbytearray-%llx", MinInvalid)
+            << ("\x5f\x41z" + QByteArray(toolong, sizeof(toolong)) + '\xff')
+            << 0 << CborErrorDataTooLarge;
+    toolong[0] |= 0x20;
+    QTest::addRow("string-2chunked+1-too-big-for-qbytearray-%llx", MinInvalid)
+            << ("\x7f\x61z" + QByteArray(toolong, sizeof(toolong)) + '\xff')
+            << 0 << CborErrorDataTooLarge;
+
     // These tests say we have arrays and maps with very large item counts.
     // They are meant to ensure we don't pre-allocate a lot of memory
     // unnecessarily and possibly crash the application. The actual number of