Fixes a possible out-of-bound write in QByteArray.

The QByteArray::QByteArray(int size, Qt::Initialization) constructor does not
validate the 'size' parameter, allowing for negative values, for example.

Use shared_empty on QByteArray(int, Qt::Initialization) for future compatibility.

Change-Id: I25ba1918faa53eaaf3564c57cf28a27f93c42922
Reviewed-by: João Abecasis <joao.abecasis@nokia.com>

1 files changed, 11 insertions, 6 deletions

diff --git a/src/corelib/tools/qbytearray.cpp b/src/corelib/tools/qbytearray.cpp
index afa556d..6ccf8e3 100644
--- a/src/corelib/tools/qbytearray.cpp
+++ b/src/corelib/tools/qbytearray.cpp
@@ -1369,12 +1369,17 @@ QByteArray::QByteArray(int size, char ch)
 
 QByteArray::QByteArray(int size, Qt::Initialization)
 {
-    d = static_cast<Data *>(qMalloc(sizeof(Data)+size));
-    Q_CHECK_PTR(d);
-    d->ref = 1;
-    d->alloc = d->size = size;
-    d->data = d->array;
-    d->array[size] = '\0';
+    if (size <= 0) {
+        d = &shared_empty;
+    } else {
+        d = static_cast<Data *>(qMalloc(sizeof(Data)+size));
+        Q_CHECK_PTR(d);
+        d->ref = 0;
+        d->alloc = d->size = size;
+        d->data = d->array;
+        d->array[size] = '\0';
+    }
+    d->ref.ref();
 }
 
 /*!