From 827ad07634291c17eac9741140ffc48dd5db79b4 Mon Sep 17 00:00:00 2001 From: Karsten Heimrich Date: Mon, 26 Aug 2019 13:50:19 +0200 Subject: Fix crash with index out of bounds Change-Id: Ibd7c4b6eef6ca08ad5ad51aa9a16aa6bf4a85288 Reviewed-by: Maurice Kalinowski --- src/knx/core/qknxbytearray.cpp | 3 +++ src/knx/core/qknxbytearray.h | 5 ++++- src/knx/qknxdevicemanagementframe.cpp | 13 ++++++++----- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/knx/core/qknxbytearray.cpp b/src/knx/core/qknxbytearray.cpp index 6a573d6..53ed547 100644 --- a/src/knx/core/qknxbytearray.cpp +++ b/src/knx/core/qknxbytearray.cpp @@ -243,6 +243,9 @@ void QKnxByteArray::clear() */ void QKnxByteArray::resize(int size) { + if (size == m_bytes.size()) + return; + if (size > m_bytes.size()) m_bytes.append(size - m_bytes.size(), 0x00); else diff --git a/src/knx/core/qknxbytearray.h b/src/knx/core/qknxbytearray.h index 4f1fdb1..efc1a02 100644 --- a/src/knx/core/qknxbytearray.h +++ b/src/knx/core/qknxbytearray.h @@ -92,7 +92,10 @@ public: void resize(int size); inline quint8 at(int i) const { return m_bytes.at(i); } - inline void set(int i, quint8 value) { m_bytes[i] = value; } + inline void set(int i, quint8 value) { + Q_ASSERT(i >= 0 && i < size()); + m_bytes[i] = value; + } inline void setValue(int i, quint8 value) { diff --git a/src/knx/qknxdevicemanagementframe.cpp b/src/knx/qknxdevicemanagementframe.cpp index 562dd00..c36c5ca 100644 --- a/src/knx/qknxdevicemanagementframe.cpp +++ b/src/knx/qknxdevicemanagementframe.cpp @@ -339,6 +339,7 @@ void QKnxDeviceManagementFrame::setObjectInstance(quint8 instance) { if (instance < 1) return; + d_ptr->m_serviceInformation.resize(3); d_ptr->m_serviceInformation.set(2, instance); } @@ -359,8 +360,10 @@ QKnxInterfaceObjectProperty QKnxDeviceManagementFrame::property() const */ void QKnxDeviceManagementFrame::setProperty(QKnxInterfaceObjectProperty pid) { - if (QKnxInterfaceObjectProperty::isProperty(pid)) + if (QKnxInterfaceObjectProperty::isProperty(pid)) { + d_ptr->m_serviceInformation.resize(4); d_ptr->m_serviceInformation.set(3, quint8(pid)); + } } /*! @@ -384,6 +387,8 @@ void QKnxDeviceManagementFrame::setNumberOfElements(quint8 numOfElements) { if (numOfElements > 0x0f) return; + + d_ptr->m_serviceInformation.resize(5); d_ptr->m_serviceInformation.set(4, (d_ptr->m_serviceInformation.value(4) & 0x0f) | (numOfElements << 4)); } @@ -475,8 +480,7 @@ void QKnxDeviceManagementFrame::setError(QKnxNetIpCemiServer::Error error) switch (messageCode()) { case MessageCode::PropertyReadConfirmation: case MessageCode::PropertyWriteConfirmation: { - if (d_ptr->m_serviceInformation.size() < 7) - d_ptr->m_serviceInformation.resize(7); + d_ptr->m_serviceInformation.resize(7); d_ptr->m_serviceInformation.set(6, quint8(error)); } default: @@ -523,8 +527,7 @@ void QKnxDeviceManagementFrame::setReturnCode(QKnxNetIpCemiServer::ReturnCode co return; } - if (d_ptr->m_serviceInformation.size() < 6) - d_ptr->m_serviceInformation.resize(6); + d_ptr->m_serviceInformation.resize(6); d_ptr->m_serviceInformation.set(5, quint8(code)); } -- cgit v1.2.3