From 93e0ff037e3e4d72d404c26b8e957092d5f88652 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCri=20Valdmann?= Date: Thu, 3 May 2018 16:39:32 +0200 Subject: QJsonDocument: Validate also zero-length objects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The added test case is the binary JSON equivalent of {"a":{"š":null}} with two modifications. First, the length of the string "š" has been corrupted to 0xFFFFFF00. Second and more import, the Base::size field of the inner object has been reset to 0. On its own the first modification would normally trigger a validation error. However, due to the second modification the Value::usedStorage for the inner object evaluates to 0, completely disabling all further validation of the object's contents. Attempting to convert this binary JSON into standard JSON will lead to the JSON writer trying to construct a QString of length 0xFFFFFF00. Fixed by validating also objects with usedStorage == 0. Task-number: QTBUG-61969 Change-Id: I5e59383674dec9be89361759572c0d91d4e16e01 Reviewed-by: Thiago Macieira --- src/corelib/serialization/qjson.cpp | 2 -- 1 file changed, 2 deletions(-) (limited to 'src/corelib/serialization/qjson.cpp') diff --git a/src/corelib/serialization/qjson.cpp b/src/corelib/serialization/qjson.cpp index c5e9eb70e1..592f6168dc 100644 --- a/src/corelib/serialization/qjson.cpp +++ b/src/corelib/serialization/qjson.cpp @@ -351,8 +351,6 @@ bool Value::isValid(const Base *b) const return false; int s = usedStorage(b); - if (!s) - return true; if (s < 0 || s > (int)b->tableOffset - offset) return false; if (type == QJsonValue::Array) -- cgit v1.2.3