Fix possible crash in the uacpp value converter

The copyTo methods of the uacpp C++ API clear the old values of the underlying structs. If uninitialized memory is used as target for copyTo, a crash may occur. Change-Id: Ia6a0cc0e3a6817734b6722ee2124cd50f418c500 Reviewed-by: Rainer Keller <Rainer.Keller@qt.io>
author: Jannis Voelker <jannis.voelker@basyskom.com> 2018-06-21 16:17:13 +0200
committer: Jannis Völker <jannis.voelker@basyskom.com> 2018-06-25 11:17:03 +0000
commit: 3fc61780187113455988307be2a93a1e801004c8 (patch)
tree: 2e74cc1d61fc15425064560324a1bde8f7c97542
parent: e9d5fa0ae4b9e2043dd3054797f7a766ecbeae1d (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/src/plugins/opcua/uacpp/quacppvalueconverter.cpp b/src/plugins/opcua/uacpp/quacppvalueconverter.cpp
index 3d94bc3..af69d0a 100644
--- a/src/plugins/opcua/uacpp/quacppvalueconverter.cpp
+++ b/src/plugins/opcua/uacpp/quacppvalueconverter.cpp
@@ -588,8 +588,8 @@ OpcUa_Variant arrayFromQVariant(const QVariant &var, const OpcUa_BuiltInType typ
         opcuavariant.Datatype = type;
         opcuavariant.ArrayType = OpcUa_True;
         opcuavariant.Value.Array.Length = list.size();
-        // Use malloc() instead of new because the OPC UA stack uses free() internally when clearing the data
-        TARGETTYPE *arr = static_cast<TARGETTYPE *>(malloc(sizeof(TARGETTYPE) * list.size()));
+        // Use calloc() instead of new because the OPC UA stack uses free() internally when clearing the data
+        TARGETTYPE *arr = static_cast<TARGETTYPE *>(calloc(list.size(), sizeof(TARGETTYPE)));
         opcuavariant.Value.Array.Value.Array = arr;
 
         for (int i = 0; i < list.size(); ++i)
@@ -621,8 +621,8 @@ OpcUa_Variant arrayFromQVariantPointer(const QVariant &var, const OpcUa_BuiltInT
         opcuavariant.Datatype = type;
         opcuavariant.ArrayType = OpcUa_True;
         opcuavariant.Value.Array.Length = list.size();
-        // Use malloc() instead of new because the OPC UA stack uses free() internally when clearing the data
-        TARGETTYPE *arr = static_cast<TARGETTYPE *>(malloc(sizeof(TARGETTYPE) * list.size()));
+        // Use calloc() instead of new because the OPC UA stack uses free() internally when clearing the data
+        TARGETTYPE *arr = static_cast<TARGETTYPE *>(calloc(list.size(), sizeof(TARGETTYPE)));
 
         opcuavariant.Value.Array.Value.Array = arr;
 
@@ -635,8 +635,8 @@ OpcUa_Variant arrayFromQVariantPointer(const QVariant &var, const OpcUa_BuiltInT
     // Taking one pointer for all as it is union
     TARGETTYPE **temp = reinterpret_cast<TARGETTYPE **>(&opcuavariant.Value.Guid);
     // We have to allocate, otherwise copyTo() will not do any action
-    // Use malloc() instead of new because the OPC UA stack uses free() internally when clearing the data
-    *temp = static_cast<TARGETTYPE *>(malloc(sizeof(TARGETTYPE)));
+    // Use calloc() instead of new because the OPC UA stack uses free() internally when clearing the data
+    *temp = static_cast<TARGETTYPE *>(calloc(1, sizeof(TARGETTYPE)));
     scalarFromQVariant<TARGETTYPE, QTTYPE>(var, *temp);
     opcuavariant.Datatype = type;
     return opcuavariant;
author	Jannis Voelker <jannis.voelker@basyskom.com>	2018-06-21 16:17:13 +0200
committer	Jannis Völker <jannis.voelker@basyskom.com>	2018-06-25 11:17:03 +0000
commit	3fc61780187113455988307be2a93a1e801004c8 (patch)
tree	2e74cc1d61fc15425064560324a1bde8f7c97542
parent	e9d5fa0ae4b9e2043dd3054797f7a766ecbeae1d (diff)