From 4ec155053a77dd3817f11fc22c936533131eb681 Mon Sep 17 00:00:00 2001 From: Erik Verbruggen Date: Mon, 6 Aug 2018 15:49:10 +0200 Subject: Fix possible heap-buffer-overflow in qt_string_normalize When starting further into the string than index 0, do correct the length too. This shows up in tst_qurl and tst_qurlinternal. Kindly pointed out by ASAN: ==5513==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600002bf27 at pc 0x000100654de3 bp 0x7ffeefbfad10 sp 0x7ffeefbfad08 READ of size 16 at 0x60600002bf27 thread T0 #0 0x100654de2 in QtNS::simdTestMask(char const*&, char const*, unsigned int) qstring.cpp:395 #1 0x1005f9777 in QtNS::isAscii(QtNS::QChar const*&, QtNS::QChar const*) qstring.cpp:491 #2 0x100638642 in QtNS::qt_string_normalize(QtNS::QString*, QtNS::QString::NormalizationForm, QtNS::QChar::UnicodeVersion, int) qstring.cpp:7999 Change-Id: I44ad65b47eb98c6085c77b56dc2da50ef5659d25 Reviewed-by: Lars Knoll Reviewed-by: Thiago Macieira --- src/corelib/tools/qstring.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/corelib/tools') diff --git a/src/corelib/tools/qstring.cpp b/src/corelib/tools/qstring.cpp index ec274d8abf..056ffebcbe 100644 --- a/src/corelib/tools/qstring.cpp +++ b/src/corelib/tools/qstring.cpp @@ -7996,7 +7996,7 @@ QString QString::repeated(int times) const void qt_string_normalize(QString *data, QString::NormalizationForm mode, QChar::UnicodeVersion version, int from) { const QChar *p = data->constData() + from; - if (isAscii(p, p + data->length())) + if (isAscii(p, p + data->length() - from)) return; if (p > data->constData() + from) from = p - data->constData() - 1; // need one before the non-ASCII to perform NFC -- cgit v1.2.3