1 files changed, 28 insertions, 9 deletions

diff --git a/src/corelib/json/qjson_p.h b/src/corelib/json/qjson_p.h
index 4be62172a2..0c78fadfc7 100644
--- a/src/corelib/json/qjson_p.h
+++ b/src/corelib/json/qjson_p.h
@@ -326,12 +326,19 @@ public:
     explicit String(const char *data) { d = (Data *)data; }
 
     struct Data {
-        qle_int length;
+        qle_uint length;
         qle_ushort utf16[1];
     };
 
     Data *d;
 
+    int byteSize() const { return sizeof(uint) + sizeof(ushort) * d->length; }
+    bool isValid(int maxSize) const {
+        // Check byteSize() <= maxSize, avoiding integer overflow
+        maxSize -= sizeof(uint);
+        return maxSize >= 0 && uint(d->length) <= maxSize / sizeof(ushort);
+    }
+
     inline String &operator=(const QString &str)
     {
         d->length = str.length();
@@ -400,11 +407,16 @@ public:
     explicit Latin1String(const char *data) { d = (Data *)data; }
 
     struct Data {
-        qle_short length;
+        qle_ushort length;
         char latin1[1];
     };
     Data *d;
 
+    int byteSize() const { return sizeof(ushort) + sizeof(char)*(d->length); }
+    bool isValid(int maxSize) const {
+        return byteSize() <= maxSize;
+    }
+
     inline Latin1String &operator=(const QString &str)
     {
         int len = d->length = str.length();
@@ -606,7 +618,7 @@ public:
     int indexOf(const QString &key, bool *exists) const;
     int indexOf(QLatin1String key, bool *exists) const;
 
-    bool isValid() const;
+    bool isValid(int maxSize) const;
 };
 
 
@@ -616,7 +628,7 @@ public:
     inline Value at(int i) const;
     inline Value &operator [](int i);
 
-    bool isValid() const;
+    bool isValid(int maxSize) const;
 };
 
 
@@ -671,12 +683,12 @@ public:
     // key
     // value data follows key
 
-    int size() const {
+    uint size() const {
         int s = sizeof(Entry);
         if (value.latinKey)
-            s += sizeof(ushort) + qFromLittleEndian(*(ushort *) ((const char *)this + sizeof(Entry)));
+            s += shallowLatin1Key().byteSize();
         else
-            s += sizeof(uint) + sizeof(ushort)*qFromLittleEndian(*(int *) ((const char *)this + sizeof(Entry)));
+            s += shallowKey().byteSize();
         return alignedSize(s);
     }
 
@@ -702,6 +714,15 @@ public:
         return shallowKey().toString();
     }
 
+    bool isValid(int maxSize) const {
+        if (maxSize < (int)sizeof(Entry))
+            return false;
+        maxSize -= sizeof(Entry);
+        if (value.latinKey)
+            return shallowLatin1Key().isValid(maxSize);
+        return shallowKey().isValid(maxSize);
+    }
+
     bool operator ==(const QString &key) const;
     inline bool operator !=(const QString &key) const { return !operator ==(key); }
     inline bool operator >=(const QString &key) const;
@@ -714,8 +735,6 @@ public:
     bool operator >=(const Entry &other) const;
 };
 
-inline bool operator!=(const Entry &lhs, const Entry &rhs) { return !(lhs == rhs); }
-
 inline bool Entry::operator >=(const QString &key) const
 {
     if (value.latinKey)