From 2352fa0040f133e30ccc3955031618f51214791d Mon Sep 17 00:00:00 2001 From: Ivan Solovev Date: Fri, 26 Apr 2024 17:11:04 +0200 Subject: QDataStream::readBytes: guard against integer overflow The step variable changes in the geometric progression, which means that it may overflow at some point. Since it is a qsizetype (signed 64 or 32 bit integer), the overflow would be UB, so we need to avoid it. Add an extra check that the step is lower than the safe threshold before increasing it. Amends a1bfac287ee5d3719646d68dc91dc8e8e4cec04e. Pick-to: 6.7 Change-Id: I6097986e614937fa88b31b3dd1e53ecff22533d7 Reviewed-by: Marc Mutz Reviewed-by: Thiago Macieira --- src/corelib/serialization/qdatastream.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src/corelib/serialization/qdatastream.cpp') diff --git a/src/corelib/serialization/qdatastream.cpp b/src/corelib/serialization/qdatastream.cpp index 6dcc0890e3..329be4a294 100644 --- a/src/corelib/serialization/qdatastream.cpp +++ b/src/corelib/serialization/qdatastream.cpp @@ -1090,6 +1090,7 @@ QDataStream &QDataStream::readBytes(char *&s, qint64 &l) qsizetype allocated = 0; std::unique_ptr curBuf = nullptr; + constexpr qsizetype StepIncreaseThreshold = std::numeric_limits::max() / 2; do { qsizetype blockSize = qMin(step, len - allocated); const qsizetype n = allocated + blockSize + 1; @@ -1098,7 +1099,8 @@ QDataStream &QDataStream::readBytes(char *&s, qint64 &l) if (readBlock(curBuf.get() + allocated, blockSize) != blockSize) return *this; allocated += blockSize; - step *= 2; + if (step <= StepIncreaseThreshold) + step *= 2; } while (allocated < len); s = curBuf.release(); -- cgit v1.2.3