From c365fa49d85810c6ad09bb5f43b5081cd7543bf1 Mon Sep 17 00:00:00 2001
From: Oswald Buddenhagen <oswald.buddenhagen@qt.io>
Date: Mon, 19 Dec 2016 13:50:17 +0100
Subject: fix out-of-bounds access on trailing percent sign in tr() argument

tr() recognizes %n and %Ln. it offers no way to escape lone percent
signs, which implies that they must be interpreted verbatim, which is
what the code actually does. except that it would run off the end if the
% appeared at the end of the string.

Fixes: QTBUG-57171
Done-with: Mateusz Starzycki <mstarzycki@gmail.com>
Change-Id: Icf81925c482be1ea66ec8daafb3e92ad17ea7fab
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
---
 src/corelib/kernel/qcoreapplication.cpp | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/corelib/kernel/qcoreapplication.cpp')

diff --git a/src/corelib/kernel/qcoreapplication.cpp b/src/corelib/kernel/qcoreapplication.cpp
index 3c8b0f947c..b6b4da3885 100644
--- a/src/corelib/kernel/qcoreapplication.cpp
+++ b/src/corelib/kernel/qcoreapplication.cpp
@@ -2097,9 +2097,13 @@ static void replacePercentN(QString *result, int n)
         int len = 0;
         while ((percentPos = result->indexOf(QLatin1Char('%'), percentPos + len)) != -1) {
             len = 1;
+            if (percentPos + len == result->length())
+                break;
             QString fmt;
             if (result->at(percentPos + len) == QLatin1Char('L')) {
                 ++len;
+                if (percentPos + len == result->length())
+                    break;
                 fmt = QLatin1String("%L1");
             } else {
                 fmt = QLatin1String("%1");
-- 
cgit v1.2.3