diff options
author | Nick Ratelle <nratelle@qnx.com> | 2012-01-06 17:09:54 (GMT) |
---|---|---|
committer | Qt by Nokia <qt-info@nokia.com> | 2012-02-09 19:28:02 (GMT) |
commit | a903d59b9a353d10862dd975db11b1b3d132bdf5 (patch) | |
tree | 361302190832e7bb941016b3eb86bf02cdb5ff73 /src/corelib | |
parent | 6c5e12a40ac8b2613c415349dc8b59bbe99b909e (diff) | |
download | Qt-a903d59b9a353d10862dd975db11b1b3d132bdf5.zip Qt-a903d59b9a353d10862dd975db11b1b3d132bdf5.tar.gz Qt-a903d59b9a353d10862dd975db11b1b3d132bdf5.tar.bz2 |
Fixes a possible out-of-bound write in QByteArray.
The QByteArray::QByteArray(int size, Qt::Initialization) constructor does not
validate the 'size' parameter, allowing for negative values, for example.
Use shared_empty on QByteArray(int, Qt::Initialization) for future compatibility.
Change-Id: I25ba1918faa53eaaf3564c57cf28a27f93c42922
Reviewed-by: João Abecasis <joao.abecasis@nokia.com>
Diffstat (limited to 'src/corelib')
-rw-r--r-- | src/corelib/tools/qbytearray.cpp | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/src/corelib/tools/qbytearray.cpp b/src/corelib/tools/qbytearray.cpp index afa556d..6ccf8e3 100644 --- a/src/corelib/tools/qbytearray.cpp +++ b/src/corelib/tools/qbytearray.cpp @@ -1369,12 +1369,17 @@ QByteArray::QByteArray(int size, char ch) QByteArray::QByteArray(int size, Qt::Initialization) { - d = static_cast<Data *>(qMalloc(sizeof(Data)+size)); - Q_CHECK_PTR(d); - d->ref = 1; - d->alloc = d->size = size; - d->data = d->array; - d->array[size] = '\0'; + if (size <= 0) { + d = &shared_empty; + } else { + d = static_cast<Data *>(qMalloc(sizeof(Data)+size)); + Q_CHECK_PTR(d); + d->ref = 0; + d->alloc = d->size = size; + d->data = d->array; + d->array[size] = '\0'; + } + d->ref.ref(); } /*! |