From 8f19f142745f3cb0690dcd51cebc66153e396805 Mon Sep 17 00:00:00 2001
From: Sami Rosendahl <ext-sami.1.rosendahl@nokia.com>
Date: Fri, 25 Nov 2011 11:13:46 +0200
Subject: Fix crash in QDBusDemarshaller basic string-like type extraction

QDBusArgument string extraction operators and QDBusDemarshaller that
implements the extraction do not check the type of the extracted value.
When extracting string-like basic DBus type that actually is e.g. an
integer the string extraction will crash as it blindly attempts to use the
integer as a pointer to char.

The fix adds DBus type checks to QDBusArgument string type extraction
operator implementations.
The checks are as permissive as possible provided crashes are avoided.
Previously supported functionality of extracting an object path or type
signature to a string type is retained.

Task-number: QTBUG-22840
Change-Id: I29be1ae592658ca268c65ed692e1d42619d52280
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/dbus/qdbusargument_p.h     |  4 ++++
 src/dbus/qdbusdemarshaller.cpp | 51 ++++++++++++++++++++++++++++++++++++------
 2 files changed, 48 insertions(+), 7 deletions(-)

(limited to 'src/dbus')

diff --git a/src/dbus/qdbusargument_p.h b/src/dbus/qdbusargument_p.h
index d8ca442920..3ecb798f31 100644
--- a/src/dbus/qdbusargument_p.h
+++ b/src/dbus/qdbusargument_p.h
@@ -201,6 +201,7 @@ public:
 
     QVariant toVariantInternal();
     QDBusArgument::ElementType currentType();
+    bool isCurrentTypeStringLike();
 
 public:
     DBusMessageIter iterator;
@@ -208,6 +209,9 @@ public:
 
 private:
     Q_DISABLE_COPY(QDBusDemarshaller)
+    QString toStringUnchecked();
+    QDBusObjectPath toObjectPathUnchecked();
+    QDBusSignature toSignatureUnchecked();
 };
 
 inline QDBusMarshaller *QDBusArgumentPrivate::marshaller()
diff --git a/src/dbus/qdbusdemarshaller.cpp b/src/dbus/qdbusdemarshaller.cpp
index 4103552db1..0b6767f2a0 100644
--- a/src/dbus/qdbusdemarshaller.cpp
+++ b/src/dbus/qdbusdemarshaller.cpp
@@ -130,19 +130,43 @@ inline double QDBusDemarshaller::toDouble()
     return qIterGet<double>(&iterator);
 }
 
-inline QString QDBusDemarshaller::toString()
+inline QString QDBusDemarshaller::toStringUnchecked()
 {
     return QString::fromUtf8(qIterGet<char *>(&iterator));
 }
 
+inline QString QDBusDemarshaller::toString()
+{
+    if (isCurrentTypeStringLike())
+        return toStringUnchecked();
+    else
+        return QString();
+}
+
+inline QDBusObjectPath QDBusDemarshaller::toObjectPathUnchecked()
+ {
+     return QDBusObjectPath(QString::fromUtf8(qIterGet<char *>(&iterator)));
+ }
+
 inline QDBusObjectPath QDBusDemarshaller::toObjectPath()
 {
-    return QDBusObjectPath(QString::fromUtf8(qIterGet<char *>(&iterator)));
+    if (isCurrentTypeStringLike())
+        return toObjectPathUnchecked();
+    else
+        return QDBusObjectPath();
 }
 
+inline QDBusSignature QDBusDemarshaller::toSignatureUnchecked()
+ {
+     return QDBusSignature(QString::fromUtf8(qIterGet<char *>(&iterator)));
+ }
+
 inline QDBusSignature QDBusDemarshaller::toSignature()
 {
-    return QDBusSignature(QString::fromUtf8(qIterGet<char *>(&iterator)));
+    if (isCurrentTypeStringLike())
+        return toSignatureUnchecked();
+    else
+        return QDBusSignature();
 }
 
 inline QDBusUnixFileDescriptor QDBusDemarshaller::toUnixFileDescriptor()
@@ -236,11 +260,11 @@ QVariant QDBusDemarshaller::toVariantInternal()
     case DBUS_TYPE_UINT64:
         return toULongLong();
     case DBUS_TYPE_STRING:
-        return toString();
+        return toStringUnchecked();
     case DBUS_TYPE_OBJECT_PATH:
-        return QVariant::fromValue(toObjectPath());
+        return QVariant::fromValue(toObjectPathUnchecked());
     case DBUS_TYPE_SIGNATURE:
-        return QVariant::fromValue(toSignature());
+        return QVariant::fromValue(toSignatureUnchecked());
     case DBUS_TYPE_VARIANT:
         return QVariant::fromValue(toVariant());
 
@@ -280,6 +304,19 @@ QVariant QDBusDemarshaller::toVariantInternal()
     };
 }
 
+bool QDBusDemarshaller::isCurrentTypeStringLike()
+{
+    const int type = q_dbus_message_iter_get_arg_type(&iterator);
+    switch (type) {
+    case DBUS_TYPE_STRING:  //FALLTHROUGH
+    case DBUS_TYPE_OBJECT_PATH:  //FALLTHROUGH
+    case DBUS_TYPE_SIGNATURE:
+        return true;
+    default:
+        return false;
+    }
+}
+
 QStringList QDBusDemarshaller::toStringList()
 {
     QStringList list;
@@ -288,7 +325,7 @@ QStringList QDBusDemarshaller::toStringList()
     q_dbus_message_iter_recurse(&iterator, &sub.iterator);
     q_dbus_message_iter_next(&iterator);
     while (!sub.atEnd())
-        list.append(sub.toString());
+        list.append(sub.toStringUnchecked());
 
     return list;
 }
-- 
cgit v1.2.3