Merge remote-tracking branch 'origin/5.11' into dev

Change-Id: Id171407c17533846e8efe0e586d6793a61543438

1 files changed, 14 insertions, 3 deletions

diff --git a/src/core/renderer_host/web_channel_ipc_transport_host.cpp b/src/core/renderer_host/web_channel_ipc_transport_host.cpp
index 6b32093a6..d99dfde97 100644
--- a/src/core/renderer_host/web_channel_ipc_transport_host.cpp
+++ b/src/core/renderer_host/web_channel_ipc_transport_host.cpp
@@ -49,6 +49,8 @@
 #include <QJsonObject>
 #include <QLoggingCategory>
 
+#include <QtCore/private/qjson_p.h>
+
 namespace QtWebEngineCore {
 
 Q_LOGGING_CATEGORY(log, "qt.webengine.webchanneltransport");
@@ -108,10 +110,19 @@ void WebChannelIPCTransportHost::setWorldId(content::RenderFrameHost *frame, bas
 
 void WebChannelIPCTransportHost::onWebChannelMessage(const std::vector<char> &message)
 {
-    Q_ASSERT(!message.empty());
-    QJsonDocument doc = QJsonDocument::fromRawData(message.data(), message.size(), QJsonDocument::BypassValidation);
-    Q_ASSERT(doc.isObject());
     content::RenderFrameHost *frame = web_contents()->GetMainFrame();
+
+    QJsonDocument doc;
+    // QJsonDocument::fromRawData does not check the length before it starts
+    // parsing the QJsonPrivate::Header and QJsonPrivate::Base structures.
+    if (message.size() >= sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base))
+        doc = QJsonDocument::fromRawData(message.data(), message.size());
+
+    if (!doc.isObject()) {
+        qCCritical(log).nospace() << "received invalid webchannel message from " << frame;
+        return;
+    }
+
     qCDebug(log).nospace() << "received webchannel message from " << frame << ": " << doc;
     Q_EMIT messageReceived(doc.object(), this);
 }