From a93cf5835d87ecb7c850a494847f5bde863cae22 Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Fri, 18 Jun 2021 09:48:55 +0200
Subject: QString: Respect precision when reading data for %.*s format string

If we disregard the precision we may read a very large string that we
subsequently discard. Furthermore, people use this to read
non-null-terminated strings, which randomly crashes.

Change-Id: Ifa255dbe71c82d3d4fb46adfef7a9dc74bd40cee
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit e99e07cb5c939ca5bbb1dfdeb66c862d6cd4f2f2)
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
---
 src/corelib/text/qstring.cpp | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/corelib/text/qstring.cpp b/src/corelib/text/qstring.cpp
index db6c1487c8..d51916d31a 100644
--- a/src/corelib/text/qstring.cpp
+++ b/src/corelib/text/qstring.cpp
@@ -6770,13 +6770,17 @@ QString QString::vasprintf(const char *cformat, va_list ap)
                 if (length_mod == lm_l) {
                     const ushort *buff = va_arg(ap, const ushort*);
                     const ushort *ch = buff;
-                    while (*ch != 0)
+                    while (precision != 0 && *ch != 0) {
                         ++ch;
+                        --precision;
+                    }
                     subst.setUtf16(buff, ch - buff);
-                } else
+                } else if (precision == -1) {
                     subst = QString::fromUtf8(va_arg(ap, const char*));
-                if (precision != -1)
-                    subst.truncate(precision);
+                } else {
+                    const char *buff = va_arg(ap, const char*);
+                    subst = QString::fromUtf8(buff, qstrnlen(buff, precision));
+                }
                 ++c;
                 break;
             }
-- 
cgit v1.2.3