From 60a7d578c8add335900d4d1006b3b2c49f141873 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCri=20Valdmann?= Date: Thu, 3 May 2018 16:39:32 +0200 Subject: QJsonDocument: Validate also zero-length objects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The added test case is the binary JSON equivalent of {"a":{"š":null}} with two modifications. First, the length of the string "š" has been corrupted to 0xFFFFFF00. Second and more import, the Base::size field of the inner object has been reset to 0. On its own the first modification would normally trigger a validation error. However, due to the second modification the Value::usedStorage for the inner object evaluates to 0, completely disabling all further validation of the object's contents. Attempting to convert this binary JSON into standard JSON will lead to the JSON writer trying to construct a QString of length 0xFFFFFF00. Fixed by validating also objects with usedStorage == 0. Task-number: QTBUG-61969 Change-Id: I5e59383674dec9be89361759572c0d91d4e16e01 Reviewed-by: Thiago Macieira (cherry picked from commit 93e0ff037e3e4d72d404c26b8e957092d5f88652) Reviewed-by: Lars Knoll --- src/corelib/json/qjson.cpp | 2 -- tests/auto/corelib/json/invalidBinaryData/40.json | Bin 0 -> 60 bytes 2 files changed, 2 deletions(-) create mode 100644 tests/auto/corelib/json/invalidBinaryData/40.json diff --git a/src/corelib/json/qjson.cpp b/src/corelib/json/qjson.cpp index b483cc2d8c..944c7695c6 100644 --- a/src/corelib/json/qjson.cpp +++ b/src/corelib/json/qjson.cpp @@ -358,8 +358,6 @@ bool Value::isValid(const Base *b) const return false; int s = usedStorage(b); - if (!s) - return true; if (s < 0 || s > (int)b->tableOffset - offset) return false; if (type == QJsonValue::Array) diff --git a/tests/auto/corelib/json/invalidBinaryData/40.json b/tests/auto/corelib/json/invalidBinaryData/40.json new file mode 100644 index 0000000000..277096f8cb Binary files /dev/null and b/tests/auto/corelib/json/invalidBinaryData/40.json differ -- cgit v1.2.3