summaryrefslogtreecommitdiffstats
path: root/src/corelib/json
diff options
context:
space:
mode:
Diffstat (limited to 'src/corelib/json')
-rw-r--r--src/corelib/json/qjson.cpp25
-rw-r--r--src/corelib/json/qjson_p.h37
-rw-r--r--src/corelib/json/qjsonobject.cpp4
-rw-r--r--src/corelib/json/qjsonparser.cpp94
-rw-r--r--src/corelib/json/qjsonparser_p.h4
-rw-r--r--src/corelib/json/qjsonvalue.cpp8
6 files changed, 141 insertions, 31 deletions
diff --git a/src/corelib/json/qjson.cpp b/src/corelib/json/qjson.cpp
index e9a1366af0..d509349a51 100644
--- a/src/corelib/json/qjson.cpp
+++ b/src/corelib/json/qjson.cpp
@@ -135,10 +135,12 @@ bool Data::valid() const
return false;
bool res = false;
- if (header->root()->is_object)
- res = static_cast<Object *>(header->root())->isValid();
+ Base *root = header->root();
+ int maxSize = alloc - sizeof(Header);
+ if (root->is_object)
+ res = static_cast<Object *>(root)->isValid(maxSize);
else
- res = static_cast<Array *>(header->root())->isValid();
+ res = static_cast<Array *>(root)->isValid(maxSize);
return res;
}
@@ -223,9 +225,9 @@ int Object::indexOf(QLatin1String key, bool *exists) const
return min;
}
-bool Object::isValid() const
+bool Object::isValid(int maxSize) const
{
- if (tableOffset + length*sizeof(offset) > size)
+ if (size > (uint)maxSize || tableOffset + length*sizeof(offset) > size)
return false;
QString lastKey;
@@ -234,8 +236,7 @@ bool Object::isValid() const
if (entryOffset + sizeof(Entry) >= tableOffset)
return false;
Entry *e = entryAt(i);
- int s = e->size();
- if (table()[i] + s > tableOffset)
+ if (!e->isValid(tableOffset - table()[i]))
return false;
QString key = e->key();
if (key < lastKey)
@@ -249,9 +250,9 @@ bool Object::isValid() const
-bool Array::isValid() const
+bool Array::isValid(int maxSize) const
{
- if (tableOffset + length*sizeof(offset) > size)
+ if (size > (uint)maxSize || tableOffset + length*sizeof(offset) > size)
return false;
for (uint i = 0; i < length; ++i) {
@@ -359,12 +360,12 @@ bool Value::isValid(const Base *b) const
int s = usedStorage(b);
if (!s)
return true;
- if (s < 0 || offset + s > (int)b->tableOffset)
+ if (s < 0 || s > (int)b->tableOffset - offset)
return false;
if (type == QJsonValue::Array)
- return static_cast<Array *>(base(b))->isValid();
+ return static_cast<Array *>(base(b))->isValid(s);
if (type == QJsonValue::Object)
- return static_cast<Object *>(base(b))->isValid();
+ return static_cast<Object *>(base(b))->isValid(s);
return true;
}
diff --git a/src/corelib/json/qjson_p.h b/src/corelib/json/qjson_p.h
index 4be62172a2..0c78fadfc7 100644
--- a/src/corelib/json/qjson_p.h
+++ b/src/corelib/json/qjson_p.h
@@ -326,12 +326,19 @@ public:
explicit String(const char *data) { d = (Data *)data; }
struct Data {
- qle_int length;
+ qle_uint length;
qle_ushort utf16[1];
};
Data *d;
+ int byteSize() const { return sizeof(uint) + sizeof(ushort) * d->length; }
+ bool isValid(int maxSize) const {
+ // Check byteSize() <= maxSize, avoiding integer overflow
+ maxSize -= sizeof(uint);
+ return maxSize >= 0 && uint(d->length) <= maxSize / sizeof(ushort);
+ }
+
inline String &operator=(const QString &str)
{
d->length = str.length();
@@ -400,11 +407,16 @@ public:
explicit Latin1String(const char *data) { d = (Data *)data; }
struct Data {
- qle_short length;
+ qle_ushort length;
char latin1[1];
};
Data *d;
+ int byteSize() const { return sizeof(ushort) + sizeof(char)*(d->length); }
+ bool isValid(int maxSize) const {
+ return byteSize() <= maxSize;
+ }
+
inline Latin1String &operator=(const QString &str)
{
int len = d->length = str.length();
@@ -606,7 +618,7 @@ public:
int indexOf(const QString &key, bool *exists) const;
int indexOf(QLatin1String key, bool *exists) const;
- bool isValid() const;
+ bool isValid(int maxSize) const;
};
@@ -616,7 +628,7 @@ public:
inline Value at(int i) const;
inline Value &operator [](int i);
- bool isValid() const;
+ bool isValid(int maxSize) const;
};
@@ -671,12 +683,12 @@ public:
// key
// value data follows key
- int size() const {
+ uint size() const {
int s = sizeof(Entry);
if (value.latinKey)
- s += sizeof(ushort) + qFromLittleEndian(*(ushort *) ((const char *)this + sizeof(Entry)));
+ s += shallowLatin1Key().byteSize();
else
- s += sizeof(uint) + sizeof(ushort)*qFromLittleEndian(*(int *) ((const char *)this + sizeof(Entry)));
+ s += shallowKey().byteSize();
return alignedSize(s);
}
@@ -702,6 +714,15 @@ public:
return shallowKey().toString();
}
+ bool isValid(int maxSize) const {
+ if (maxSize < (int)sizeof(Entry))
+ return false;
+ maxSize -= sizeof(Entry);
+ if (value.latinKey)
+ return shallowLatin1Key().isValid(maxSize);
+ return shallowKey().isValid(maxSize);
+ }
+
bool operator ==(const QString &key) const;
inline bool operator !=(const QString &key) const { return !operator ==(key); }
inline bool operator >=(const QString &key) const;
@@ -714,8 +735,6 @@ public:
bool operator >=(const Entry &other) const;
};
-inline bool operator!=(const Entry &lhs, const Entry &rhs) { return !(lhs == rhs); }
-
inline bool Entry::operator >=(const QString &key) const
{
if (value.latinKey)
diff --git a/src/corelib/json/qjsonobject.cpp b/src/corelib/json/qjsonobject.cpp
index fb651f0f24..b5b6f36bc6 100644
--- a/src/corelib/json/qjsonobject.cpp
+++ b/src/corelib/json/qjsonobject.cpp
@@ -599,8 +599,8 @@ bool QJsonObject::operator==(const QJsonObject &other) const
for (uint i = 0; i < o->length; ++i) {
QJsonPrivate::Entry *e = o->entryAt(i);
- QJsonPrivate::Entry *oe = other.o->entryAt(i);
- if (*e != *oe || QJsonValue(d, o, e->value) != QJsonValue(other.d, other.o, oe->value))
+ QJsonValue v(d, o, e->value);
+ if (other.value(e->key()) != v)
return false;
}
diff --git a/src/corelib/json/qjsonparser.cpp b/src/corelib/json/qjsonparser.cpp
index 6a3d1de99a..0eb0d21ecf 100644
--- a/src/corelib/json/qjsonparser.cpp
+++ b/src/corelib/json/qjsonparser.cpp
@@ -283,7 +283,6 @@ char Parser::nextToken()
case ValueSeparator:
case EndArray:
case EndObject:
- eatSpace();
case Quote:
break;
default:
@@ -391,6 +390,8 @@ bool Parser::parseObject()
}
int objectOffset = reserveSpace(sizeof(QJsonPrivate::Object));
+ if (objectOffset < 0)
+ return false;
BEGIN << "parseObject pos=" << objectOffset << current << json;
ParsedObject parsedObject(this, objectOffset);
@@ -423,6 +424,9 @@ bool Parser::parseObject()
if (parsedObject.offsets.size()) {
int tableSize = parsedObject.offsets.size()*sizeof(uint);
table = reserveSpace(tableSize);
+ if (table < 0)
+ return false;
+
#if Q_BYTE_ORDER == Q_LITTLE_ENDIAN
memcpy(data + table, parsedObject.offsets.constData(), tableSize);
#else
@@ -452,6 +456,8 @@ bool Parser::parseObject()
bool Parser::parseMember(int baseOffset)
{
int entryOffset = reserveSpace(sizeof(QJsonPrivate::Entry));
+ if (entryOffset < 0)
+ return false;
BEGIN << "parseMember pos=" << entryOffset;
bool latin1;
@@ -462,6 +468,10 @@ bool Parser::parseMember(int baseOffset)
lastError = QJsonParseError::MissingNameSeparator;
return false;
}
+ if (!eatSpace()) {
+ lastError = QJsonParseError::UnterminatedObject;
+ return false;
+ }
QJsonPrivate::Value val;
if (!parseValue(&val, baseOffset))
return false;
@@ -475,6 +485,42 @@ bool Parser::parseMember(int baseOffset)
return true;
}
+namespace {
+ struct ValueArray {
+ static const int prealloc = 128;
+ ValueArray() : data(stackValues), alloc(prealloc), size(0) {}
+ ~ValueArray() { if (data != stackValues) free(data); }
+
+ inline bool grow() {
+ alloc *= 2;
+ if (data == stackValues) {
+ QJsonPrivate::Value *newValues = static_cast<QJsonPrivate::Value *>(malloc(alloc*sizeof(QJsonPrivate::Value)));
+ if (!newValues)
+ return false;
+ memcpy(newValues, data, size*sizeof(QJsonPrivate::Value));
+ data = newValues;
+ } else {
+ data = static_cast<QJsonPrivate::Value *>(realloc(data, alloc*sizeof(QJsonPrivate::Value)));
+ if (!data)
+ return false;
+ }
+ return true;
+ }
+ bool append(const QJsonPrivate::Value &v) {
+ if (alloc == size && !grow())
+ return false;
+ data[size] = v;
+ ++size;
+ return true;
+ }
+
+ QJsonPrivate::Value stackValues[prealloc];
+ QJsonPrivate::Value *data;
+ int alloc;
+ int size;
+ };
+}
+
/*
array = begin-array [ value *( value-separator value ) ] end-array
*/
@@ -488,8 +534,10 @@ bool Parser::parseArray()
}
int arrayOffset = reserveSpace(sizeof(QJsonPrivate::Array));
+ if (arrayOffset < 0)
+ return false;
- QVarLengthArray<QJsonPrivate::Value, 64> values;
+ ValueArray values;
if (!eatSpace()) {
lastError = QJsonParseError::UnterminatedArray;
@@ -499,10 +547,17 @@ bool Parser::parseArray()
nextToken();
} else {
while (1) {
+ if (!eatSpace()) {
+ lastError = QJsonParseError::UnterminatedArray;
+ return false;
+ }
QJsonPrivate::Value val;
if (!parseValue(&val, arrayOffset))
return false;
- values.append(val);
+ if (!values.append(val)) {
+ lastError = QJsonParseError::DocumentTooLarge;
+ return false;
+ }
char token = nextToken();
if (token == EndArray)
break;
@@ -516,20 +571,22 @@ bool Parser::parseArray()
}
}
- DEBUG << "size =" << values.size();
+ DEBUG << "size =" << values.size;
int table = arrayOffset;
// finalize the object
- if (values.size()) {
- int tableSize = values.size()*sizeof(QJsonPrivate::Value);
+ if (values.size) {
+ int tableSize = values.size*sizeof(QJsonPrivate::Value);
table = reserveSpace(tableSize);
- memcpy(data + table, values.constData(), tableSize);
+ if (table < 0)
+ return false;
+ memcpy(data + table, values.data, tableSize);
}
QJsonPrivate::Array *a = (QJsonPrivate::Array *)(data + arrayOffset);
a->tableOffset = table - arrayOffset;
a->size = current - arrayOffset;
a->is_object = false;
- a->length = values.size();
+ a->length = values.size;
DEBUG << "current=" << current;
END;
@@ -636,6 +693,12 @@ bool Parser::parseValue(QJsonPrivate::Value *val, int baseOffset)
DEBUG << "value: object";
END;
return true;
+ case ValueSeparator:
+ // Essentially missing value, but after a colon, not after a comma
+ // like the other MissingObject errors.
+ lastError = QJsonParseError::IllegalValue;
+ return false;
+ case EndObject:
case EndArray:
lastError = QJsonParseError::MissingObject;
return false;
@@ -738,6 +801,8 @@ bool Parser::parseNumber(QJsonPrivate::Value *val, int baseOffset)
}
int pos = reserveSpace(sizeof(double));
+ if (pos < 0)
+ return false;
qToLittleEndian(ui, data + pos);
if (current - baseOffset >= Value::MaxSize) {
lastError = QJsonParseError::DocumentTooLarge;
@@ -856,6 +921,9 @@ bool Parser::parseString(bool *latin1)
// try to write out a latin1 string
int stringPos = reserveSpace(2);
+ if (stringPos < 0)
+ return false;
+
BEGIN << "parse string stringPos=" << stringPos << json;
while (json < end) {
uint ch = 0;
@@ -878,6 +946,8 @@ bool Parser::parseString(bool *latin1)
break;
}
int pos = reserveSpace(1);
+ if (pos < 0)
+ return false;
DEBUG << " " << ch << (char)ch;
data[pos] = (uchar)ch;
}
@@ -893,6 +963,8 @@ bool Parser::parseString(bool *latin1)
// write string length
*(QJsonPrivate::qle_ushort *)(data + stringPos) = ushort(current - outStart - sizeof(ushort));
int pos = reserveSpace((4 - current) & 3);
+ if (pos < 0)
+ return false;
while (pos & 3)
data[pos++] = 0;
END;
@@ -922,10 +994,14 @@ bool Parser::parseString(bool *latin1)
}
if (QChar::requiresSurrogates(ch)) {
int pos = reserveSpace(4);
+ if (pos < 0)
+ return false;
*(QJsonPrivate::qle_ushort *)(data + pos) = QChar::highSurrogate(ch);
*(QJsonPrivate::qle_ushort *)(data + pos + 2) = QChar::lowSurrogate(ch);
} else {
int pos = reserveSpace(2);
+ if (pos < 0)
+ return false;
*(QJsonPrivate::qle_ushort *)(data + pos) = (ushort)ch;
}
}
@@ -939,6 +1015,8 @@ bool Parser::parseString(bool *latin1)
// write string length
*(QJsonPrivate::qle_int *)(data + stringPos) = (current - outStart - sizeof(int))/2;
int pos = reserveSpace((4 - current) & 3);
+ if (pos < 0)
+ return false;
while (pos & 3)
data[pos++] = 0;
END;
diff --git a/src/corelib/json/qjsonparser_p.h b/src/corelib/json/qjsonparser_p.h
index e3b95109c6..afa2c1a8cf 100644
--- a/src/corelib/json/qjsonparser_p.h
+++ b/src/corelib/json/qjsonparser_p.h
@@ -109,6 +109,10 @@ private:
if (current + space >= dataLength) {
dataLength = 2*dataLength + space;
data = (char *)realloc(data, dataLength);
+ if (!data) {
+ lastError = QJsonParseError::DocumentTooLarge;
+ return -1;
+ }
}
int pos = current;
current += space;
diff --git a/src/corelib/json/qjsonvalue.cpp b/src/corelib/json/qjsonvalue.cpp
index 5a906dda7b..4b52014db1 100644
--- a/src/corelib/json/qjsonvalue.cpp
+++ b/src/corelib/json/qjsonvalue.cpp
@@ -349,6 +349,12 @@ QJsonValue &QJsonValue::operator =(const QJsonValue &other)
\row
\li
\list
+ \li QMetaType::Nullptr
+ \endlist
+ \li QJsonValue::Null
+ \row
+ \li
+ \list
\li QMetaType::Bool
\endlist
\li QJsonValue::Bool
@@ -393,6 +399,8 @@ QJsonValue &QJsonValue::operator =(const QJsonValue &other)
QJsonValue QJsonValue::fromVariant(const QVariant &variant)
{
switch (variant.userType()) {
+ case QMetaType::Nullptr:
+ return QJsonValue(Null);
case QVariant::Bool:
return QJsonValue(variant.toBool());
case QVariant::Int:
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-02 14:23:26 +0000