From bfaa8925d5cc0a59cec3f747a8d982ca819f026b Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@qt.io>
Date: Wed, 2 Nov 2016 14:10:47 +0100
Subject: Improve the validation algorithm for binary JSON

Add better boundary checks and catch (hopefully all)
cases where invalid binary JSON could cause crashes.

Change-Id: I206510b7c5e3ba953802a5f46645878e65704ecc
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
---
 src/corelib/json/qjson.cpp | 25 +++++++++++++------------
 src/corelib/json/qjson_p.h | 35 ++++++++++++++++++++++++++++-------
 2 files changed, 41 insertions(+), 19 deletions(-)

(limited to 'src/corelib/json')

diff --git a/src/corelib/json/qjson.cpp b/src/corelib/json/qjson.cpp
index c3b58e59a5..c6fff068ce 100644
--- a/src/corelib/json/qjson.cpp
+++ b/src/corelib/json/qjson.cpp
@@ -129,10 +129,12 @@ bool Data::valid() const
         return false;
 
     bool res = false;
-    if (header->root()->is_object)
-        res = static_cast<Object *>(header->root())->isValid();
+    Base *root = header->root();
+    int maxSize = alloc - sizeof(Header);
+    if (root->is_object)
+        res = static_cast<Object *>(root)->isValid(maxSize);
     else
-        res = static_cast<Array *>(header->root())->isValid();
+        res = static_cast<Array *>(root)->isValid(maxSize);
 
     return res;
 }
@@ -195,9 +197,9 @@ int Object::indexOf(const QString &key, bool *exists)
     return min;
 }
 
-bool Object::isValid() const
+bool Object::isValid(int maxSize) const
 {
-    if (tableOffset + length*sizeof(offset) > size)
+    if (size > (uint)maxSize || tableOffset + length*sizeof(offset) > size)
         return false;
 
     QString lastKey;
@@ -206,8 +208,7 @@ bool Object::isValid() const
         if (entryOffset + sizeof(Entry) >= tableOffset)
             return false;
         Entry *e = entryAt(i);
-        int s = e->size();
-        if (table()[i] + s > tableOffset)
+        if (!e->isValid(tableOffset - table()[i]))
             return false;
         QString key = e->key();
         if (key < lastKey)
@@ -221,9 +222,9 @@ bool Object::isValid() const
 
 
 
-bool Array::isValid() const
+bool Array::isValid(int maxSize) const
 {
-    if (tableOffset + length*sizeof(offset) > size)
+    if (size > (uint)maxSize || tableOffset + length*sizeof(offset) > size)
         return false;
 
     for (uint i = 0; i < length; ++i) {
@@ -323,12 +324,12 @@ bool Value::isValid(const Base *b) const
     int s = usedStorage(b);
     if (!s)
         return true;
-    if (s < 0 || offset + s > (int)b->tableOffset)
+    if (s < 0 || s > (int)b->tableOffset - offset)
         return false;
     if (type == QJsonValue::Array)
-        return static_cast<Array *>(base(b))->isValid();
+        return static_cast<Array *>(base(b))->isValid(s);
     if (type == QJsonValue::Object)
-        return static_cast<Object *>(base(b))->isValid();
+        return static_cast<Object *>(base(b))->isValid(s);
     return true;
 }
 
diff --git a/src/corelib/json/qjson_p.h b/src/corelib/json/qjson_p.h
index b7de24d165..c5fd38e640 100644
--- a/src/corelib/json/qjson_p.h
+++ b/src/corelib/json/qjson_p.h
@@ -302,12 +302,19 @@ public:
     String(const char *data) { d = (Data *)data; }
 
     struct Data {
-        qle_int length;
+        qle_uint length;
         qle_ushort utf16[1];
     };
 
     Data *d;
 
+    int byteSize() const { return sizeof(uint) + sizeof(ushort) * d->length; }
+    bool isValid(int maxSize) const {
+        // Check byteSize() <= maxSize, avoiding integer overflow
+        maxSize -= sizeof(uint);
+        return maxSize >= 0 && uint(d->length) <= maxSize / sizeof(ushort);
+    }
+
     inline String &operator=(const QString &str)
     {
         d->length = str.length();
@@ -376,11 +383,16 @@ public:
     Latin1String(const char *data) { d = (Data *)data; }
 
     struct Data {
-        qle_short length;
+        qle_ushort length;
         char latin1[1];
     };
     Data *d;
 
+    int byteSize() const { return sizeof(ushort) + sizeof(char)*(d->length); }
+    bool isValid(int maxSize) const {
+        return byteSize() <= maxSize;
+    }
+
     inline Latin1String &operator=(const QString &str)
     {
         int len = d->length = str.length();
@@ -567,7 +579,7 @@ public:
     }
     int indexOf(const QString &key, bool *exists);
 
-    bool isValid() const;
+    bool isValid(int maxSize) const;
 };
 
 
@@ -577,7 +589,7 @@ public:
     inline Value at(int i) const;
     inline Value &operator [](int i);
 
-    bool isValid() const;
+    bool isValid(int maxSize) const;
 };
 
 
@@ -631,12 +643,12 @@ public:
     // key
     // value data follows key
 
-    int size() const {
+    uint size() const {
         int s = sizeof(Entry);
         if (value.latinKey)
-            s += sizeof(ushort) + qFromLittleEndian(*(ushort *) ((const char *)this + sizeof(Entry)));
+            s += shallowLatin1Key().byteSize();
         else
-            s += sizeof(uint) + sizeof(ushort)*qFromLittleEndian(*(int *) ((const char *)this + sizeof(Entry)));
+            s += shallowKey().byteSize();
         return alignedSize(s);
     }
 
@@ -662,6 +674,15 @@ public:
         return shallowKey().toString();
     }
 
+    bool isValid(int maxSize) const {
+        if (maxSize < (int)sizeof(Entry))
+            return false;
+        maxSize -= sizeof(Entry);
+        if (value.latinKey)
+            return shallowLatin1Key().isValid(maxSize);
+        return shallowKey().isValid(maxSize);
+    }
+
     bool operator ==(const QString &key) const;
     inline bool operator !=(const QString &key) const { return !operator ==(key); }
     inline bool operator >=(const QString &key) const;
-- 
cgit v1.2.3


From 80842959c4f63be930c77da39df7ac386dcaa1d7 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Sat, 12 Nov 2016 21:01:20 +0100
Subject: Revert "Optimize QJsonObject::operator=="

This reverts commit 862fa24179505ef725ff78bb64bdabd54bd00c95,
which attempted to optimize QJsonObject::operator== under the
assumption that the entries it holds are lexicographically
sorted. They should be, because Object::indexOf() finds them
by binary search, but apparently both fromJson(), as well as
construction through op[] leave (some) entries unsorted.

This behavior should be fixed, because other code relies on
sorted entries, too, but until the problem is more fully under-
stood, revert the patch to unbreak equality comparisons.

Task-number: QTBUG-56843
Change-Id: I5b608c16d1bbcb4f01b75ce93bd58b49ff050be2
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
---
 src/corelib/json/qjson_p.h       | 2 --
 src/corelib/json/qjsonobject.cpp | 4 ++--
 2 files changed, 2 insertions(+), 4 deletions(-)

(limited to 'src/corelib/json')

diff --git a/src/corelib/json/qjson_p.h b/src/corelib/json/qjson_p.h
index c5fd38e640..5be31ca03f 100644
--- a/src/corelib/json/qjson_p.h
+++ b/src/corelib/json/qjson_p.h
@@ -691,8 +691,6 @@ public:
     bool operator >=(const Entry &other) const;
 };
 
-inline bool operator!=(const Entry &lhs, const Entry &rhs) { return !(lhs == rhs); }
-
 inline bool Entry::operator >=(const QString &key) const
 {
     if (value.latinKey)
diff --git a/src/corelib/json/qjsonobject.cpp b/src/corelib/json/qjsonobject.cpp
index f5fd76eac0..b83c8dd19a 100644
--- a/src/corelib/json/qjsonobject.cpp
+++ b/src/corelib/json/qjsonobject.cpp
@@ -545,8 +545,8 @@ bool QJsonObject::operator==(const QJsonObject &other) const
 
     for (uint i = 0; i < o->length; ++i) {
         QJsonPrivate::Entry *e = o->entryAt(i);
-        QJsonPrivate::Entry *oe = other.o->entryAt(i);
-        if (*e != *oe || QJsonValue(d, o, e->value) != QJsonValue(other.d, other.o, oe->value))
+        QJsonValue v(d, o, e->value);
+        if (other.value(e->key()) != v)
             return false;
     }
 
-- 
cgit v1.2.3