From 03f1a69e9cffe919597373471f7609521a465470 Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@theqtcompany.com>
Date: Wed, 18 Mar 2015 08:49:39 +0100
Subject: Avoid size overflows when inserting into very large JSON objects

QJson has a size limitation for arrays and objects. Make sure we
don't go over that size limit and create corrupt objects when
inserting data.

Change-Id: I45be3caefc282d8041f38acd120b985ed4389b8c
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
Reviewed-by: Simon Hausmann <simon.hausmann@theqtcompany.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/corelib/json/qjsonarray.cpp | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

(limited to 'src/corelib/json/qjsonarray.cpp')

diff --git a/src/corelib/json/qjsonarray.cpp b/src/corelib/json/qjsonarray.cpp
index bb33dbde74..e8d54b5b87 100644
--- a/src/corelib/json/qjsonarray.cpp
+++ b/src/corelib/json/qjsonarray.cpp
@@ -382,7 +382,7 @@ void QJsonArray::removeAt(int i)
     if (!a || i < 0 || i >= (int)a->length)
         return;
 
-    detach();
+    detach2();
     a->removeItems(i, 1);
     ++d->compactionCounter;
     if (d->compactionCounter > 32u && d->compactionCounter >= unsigned(a->length) / 2u)
@@ -442,7 +442,8 @@ void QJsonArray::insert(int i, const QJsonValue &value)
     bool compressed;
     int valueSize = QJsonPrivate::Value::requiredStorage(val, &compressed);
 
-    detach(valueSize + sizeof(QJsonPrivate::Value));
+    if (!detach2(valueSize + sizeof(QJsonPrivate::Value)))
+        return;
 
     if (!a->length)
         a->tableOffset = sizeof(QJsonPrivate::Array);
@@ -492,7 +493,8 @@ void QJsonArray::replace(int i, const QJsonValue &value)
     bool compressed;
     int valueSize = QJsonPrivate::Value::requiredStorage(val, &compressed);
 
-    detach(valueSize);
+    if (!detach2(valueSize))
+        return;
 
     if (!a->length)
         a->tableOffset = sizeof(QJsonPrivate::Array);
@@ -1122,22 +1124,39 @@ bool QJsonArray::operator!=(const QJsonArray &other) const
     \internal
  */
 void QJsonArray::detach(uint reserve)
+{
+    Q_UNUSED(reserve)
+    Q_ASSERT(!reserve);
+    detach2(0);
+}
+
+/*!
+    \internal
+ */
+bool QJsonArray::detach2(uint reserve)
 {
     if (!d) {
+        if (reserve >= QJsonPrivate::Value::MaxSize) {
+            qWarning("QJson: Document too large to store in data structure");
+            return false;
+        }
         d = new QJsonPrivate::Data(reserve, QJsonValue::Array);
         a = static_cast<QJsonPrivate::Array *>(d->header->root());
         d->ref.ref();
-        return;
+        return true;
     }
     if (reserve == 0 && d->ref.load() == 1)
-        return;
+        return true;
 
     QJsonPrivate::Data *x = d->clone(a, reserve);
+    if (!x)
+        return false;
     x->ref.ref();
     if (!d->ref.deref())
         delete d;
     d = x;
     a = static_cast<QJsonPrivate::Array *>(d->header->root());
+    return true;
 }
 
 /*!
@@ -1148,7 +1167,7 @@ void QJsonArray::compact()
     if (!d || !d->compactionCounter)
         return;
 
-    detach();
+    detach2();
     d->compact();
     a = static_cast<QJsonPrivate::Array *>(d->header->root());
 }
-- 
cgit v1.2.3