From 8e47474baf06b3884e9173302395dd25fc09eba9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCri=20Valdmann?= Date: Tue, 8 May 2018 15:30:37 +0200 Subject: QJsonDocument: Avoid overflow of string lengths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The added test case contains the binary JSON equivalent of ["ΕΎ"] with the modification that the string's length has been set to INT_MAX. In Value::usedStorage this length is used through the pointer d like so s = sizeof(int) + sizeof(ushort) * qFromLittleEndian(*(int *)d); Because 2 * INT_MAX is UINT_MAX-1, the expression as a whole evaluates to 2, which is considered a valid storage size. However, when converting this binary JSON into ordinary JSON we will attempt to construct a QString of length INT_MAX. Fixed by using String::isValid instead of Value::usedStorage. This method already takes care to avoid the overflow problem. Additionally, I've tried in this patch to clarify the behavior of Value::isValid a bit by writing it in a style that is hopefully more amenable to structural induction. Finally, the test case added in my previous patch had the wrong file extension and is renamed in this one. Task-number: QTBUG-61969 Change-Id: I45d891f2467a71d8d105822ef7eb1a73c3efa67a Reviewed-by: Thiago Macieira --- .../corelib/serialization/json/invalidBinaryData/40.bjson | Bin 0 -> 60 bytes .../corelib/serialization/json/invalidBinaryData/40.json | Bin 60 -> 0 bytes .../corelib/serialization/json/invalidBinaryData/41.bjson | Bin 0 -> 32 bytes 3 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 tests/auto/corelib/serialization/json/invalidBinaryData/40.bjson delete mode 100644 tests/auto/corelib/serialization/json/invalidBinaryData/40.json create mode 100644 tests/auto/corelib/serialization/json/invalidBinaryData/41.bjson (limited to 'tests') diff --git a/tests/auto/corelib/serialization/json/invalidBinaryData/40.bjson b/tests/auto/corelib/serialization/json/invalidBinaryData/40.bjson new file mode 100644 index 0000000000..277096f8cb Binary files /dev/null and b/tests/auto/corelib/serialization/json/invalidBinaryData/40.bjson differ diff --git a/tests/auto/corelib/serialization/json/invalidBinaryData/40.json b/tests/auto/corelib/serialization/json/invalidBinaryData/40.json deleted file mode 100644 index 277096f8cb..0000000000 Binary files a/tests/auto/corelib/serialization/json/invalidBinaryData/40.json and /dev/null differ diff --git a/tests/auto/corelib/serialization/json/invalidBinaryData/41.bjson b/tests/auto/corelib/serialization/json/invalidBinaryData/41.bjson new file mode 100644 index 0000000000..0b5940ab95 Binary files /dev/null and b/tests/auto/corelib/serialization/json/invalidBinaryData/41.bjson differ -- cgit v1.2.3