From b69c2e86de99cb2ac9bcd2e33ae77c960cfbc57a Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@kdab.com>
Date: Mon, 19 Jan 2015 01:26:56 +0100
Subject: QFreeList: fix undefined behavior

Signed integer overflow is undefined behavior ([expr]/4),
but unsigned arithmetic doesn't overflow, so isn't
([basic.fundamental]/4, footnote there).

So, use unsigned arithmetic for the loop-around serial
number generation in incrementserial(). While we're at
it, also use it for the masking operation in the same
function.

Found by UBSan.

Change-Id: I500fae9d80fd3f6e39d06e79a53d271b82ea8df8
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
---
 src/corelib/tools/qfreelist_p.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/corelib/tools/qfreelist_p.h')

diff --git a/src/corelib/tools/qfreelist_p.h b/src/corelib/tools/qfreelist_p.h
index bfb03fb723..189140016c 100644
--- a/src/corelib/tools/qfreelist_p.h
+++ b/src/corelib/tools/qfreelist_p.h
@@ -171,7 +171,7 @@ class QFreeList
     // take the current serial number from \a o, increment it, and store it in \a n
     static inline int incrementserial(int o, int n)
     {
-        return (n & ConstantsType::IndexMask) | ((o + ConstantsType::SerialCounter) & ConstantsType::SerialMask);
+        return int((uint(n) & ConstantsType::IndexMask) | ((uint(o) + ConstantsType::SerialCounter) & ConstantsType::SerialMask));
     }
 
     // the blocks
-- 
cgit v1.2.3