From 978804d2c229e1b15b497cb8de18032d1e220529 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Fri, 11 Mar 2016 14:59:19 +0100
Subject: QNetworkHeaders: fix UB (invalid enum value) in
 Private::parseAndSetHeader()

Found by UBSan:

  qnetworkrequest.cpp:1016:19: runtime error: load of value 4294967295, which is not a valid value for type 'KnownHeaders'

KnownHeaders does not contain a failure state, and no negative
values. -1 is therefore not a valid value for an object of type
KnownHeaders, so loading one is considered UB.

Fix by returning the result of parseHeaderName() as an int,
only casting to KnownHeaders after checking for the failure
case.

Change-Id: I6b165fe2b15c747344a9b2750bb753582c5bcbeb
Reviewed-by: Richard J. Moore <rich@kde.org>
---
 src/network/access/qnetworkrequest.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/network/access/qnetworkrequest.cpp b/src/network/access/qnetworkrequest.cpp
index 558e015ae4..f5010198f3 100644
--- a/src/network/access/qnetworkrequest.cpp
+++ b/src/network/access/qnetworkrequest.cpp
@@ -798,10 +798,10 @@ static QByteArray headerValue(QNetworkRequest::KnownHeaders header, const QVaria
     return QByteArray();
 }
 
-static QNetworkRequest::KnownHeaders parseHeaderName(const QByteArray &headerName)
+static int parseHeaderName(const QByteArray &headerName)
 {
     if (headerName.isEmpty())
-        return QNetworkRequest::KnownHeaders(-1);
+        return -1;
 
     switch (tolower(headerName.at(0))) {
     case 'c':
@@ -833,7 +833,7 @@ static QNetworkRequest::KnownHeaders parseHeaderName(const QByteArray &headerNam
         break;
     }
 
-    return QNetworkRequest::KnownHeaders(-1); // nothing found
+    return -1; // nothing found
 }
 
 static QVariant parseHttpDate(const QByteArray &raw)
@@ -1005,8 +1005,10 @@ void QNetworkHeadersPrivate::setRawHeaderInternal(const QByteArray &key, const Q
 void QNetworkHeadersPrivate::parseAndSetHeader(const QByteArray &key, const QByteArray &value)
 {
     // is it a known header?
-    QNetworkRequest::KnownHeaders parsedKey = parseHeaderName(key);
-    if (parsedKey != QNetworkRequest::KnownHeaders(-1)) {
+    const int parsedKeyAsInt = parseHeaderName(key);
+    if (parsedKeyAsInt != -1) {
+        const QNetworkRequest::KnownHeaders parsedKey
+                = static_cast<QNetworkRequest::KnownHeaders>(parsedKeyAsInt);
         if (value.isNull()) {
             cookedHeaders.remove(parsedKey);
         } else if (parsedKey == QNetworkRequest::ContentLengthHeader
-- 
cgit v1.2.3