From 20f014e72e629d0369c1bd7ba595f8ea8d6e106f Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Thu, 16 Dec 2021 07:21:46 +0100
Subject: QString: fix UB (pointer arithmetic on nullptr) in qLastIndexOf

Says ubsan:

  qstring.cpp:10484:17: runtime error: applying non-zero offset 18446744073709551614 to null pointer

If we search for a null needle, we stored 0-1 in a size_t variable and
unconditionally appied that offset to the needle's data() pointer. That
being the nullptr, ubsan complained.

To fix, set sl_minus_1 to 0 if it would underflow. In that case,
sl_minus_1, n, and h, are not used, anyway, so their values don't
matter as long as we don't invoke UB.

Change-Id: Idca4e845c77838dfc84acdb68bbbc98382b5e1d5
Reviewed-by: Sona Kurazyan <sona.kurazyan@qt.io>
Reviewed-by: Anton Kudryavtsev <antkudr@mail.ru>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 6830bdc1401e55680859b74036e9e9d90c359028)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/corelib/text/qstring.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/corelib/text/qstring.cpp')

diff --git a/src/corelib/text/qstring.cpp b/src/corelib/text/qstring.cpp
index bac6d20c0c..7e985aa774 100644
--- a/src/corelib/text/qstring.cpp
+++ b/src/corelib/text/qstring.cpp
@@ -12312,7 +12312,7 @@ static qsizetype qLastIndexOf(Haystack haystack0, qsizetype from,
     const auto needle = needle0.data();
     const auto *end = haystack;
     haystack += from;
-    const std::size_t sl_minus_1 = sl - 1;
+    const std::size_t sl_minus_1 = sl ? sl - 1 : 0;
     const auto *n = needle + sl_minus_1;
     const auto *h = haystack + sl_minus_1;
     std::size_t hashNeedle = 0, hashHaystack = 0;
-- 
cgit v1.2.3