diff options
| author | Olivier Goffart <olivier.goffart@nokia.com> | 2010-11-10 16:02:02 (GMT) |
|---|---|---|
| committer | Olivier Goffart <olivier.goffart@nokia.com> | 2010-11-10 16:19:27 (GMT) |
| commit | 27fe0f93f961e78b71cd0b729a0e324b847ec023 (patch) | |
| tree | be4efe7953e8c5f7834ac5e71cd843d43a80e744 | |
| parent | 46d2d05e3a95eefae1c72f55d57cbea4ce27d14e (diff) | |
| download | Qt-27fe0f93f961e78b71cd0b729a0e324b847ec023.zip Qt-27fe0f93f961e78b71cd0b729a0e324b847ec023.tar.gz Qt-27fe0f93f961e78b71cd0b729a0e324b847ec023.tar.bz2 | |
Fix crash in tst_QByteArray::qUncompress
On 64-bit systems, len + sizeof(QByteArray::Data) could overflow and become 0
In this case, qRealloc could succeed and return 0, leading to a double free.
Reviewed-by: Joao
| -rw-r--r-- | src/corelib/tools/qbytearray.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/corelib/tools/qbytearray.cpp b/src/corelib/tools/qbytearray.cpp index dc2e8e9..68789d9 100644 --- a/src/corelib/tools/qbytearray.cpp +++ b/src/corelib/tools/qbytearray.cpp @@ -541,6 +541,11 @@ QByteArray qUncompress(const uchar* data, int nbytes) forever { ulong alloc = len; + if (len >= (2 << 31) - sizeof(QByteArray::Data)) { + //QByteArray does not support that huge size anyway. + qWarning("qUncompress: Input data is corrupted"); + return QByteArray(); + } QByteArray::Data *p = static_cast<QByteArray::Data *>(qRealloc(d.data(), sizeof(QByteArray::Data) + alloc)); if (!p) { // we are not allowed to crash here when compiling with QT_NO_EXCEPTIONS @@ -556,6 +561,11 @@ QByteArray qUncompress(const uchar* data, int nbytes) switch (res) { case Z_OK: if (len != alloc) { + if (len >= (2 << 31) - sizeof(QByteArray::Data)) { + //QByteArray does not support that huge size anyway. + qWarning("qUncompress: Input data is corrupted"); + return QByteArray(); + } QByteArray::Data *p = static_cast<QByteArray::Data *>(qRealloc(d.data(), sizeof(QByteArray::Data) + len)); if (!p) { // we are not allowed to crash here when compiling with QT_NO_EXCEPTIONS |