summaryrefslogtreecommitdiffstats
path: root/src/corelib
diff options
context:
space:
mode:
authorNick Ratelle <nratelle@qnx.com>2012-01-06 17:09:54 (GMT)
committerQt by Nokia <qt-info@nokia.com>2012-02-09 19:28:02 (GMT)
commita903d59b9a353d10862dd975db11b1b3d132bdf5 (patch)
tree361302190832e7bb941016b3eb86bf02cdb5ff73 /src/corelib
parent6c5e12a40ac8b2613c415349dc8b59bbe99b909e (diff)
downloadQt-a903d59b9a353d10862dd975db11b1b3d132bdf5.zip
Qt-a903d59b9a353d10862dd975db11b1b3d132bdf5.tar.gz
Qt-a903d59b9a353d10862dd975db11b1b3d132bdf5.tar.bz2
Fixes a possible out-of-bound write in QByteArray.
The QByteArray::QByteArray(int size, Qt::Initialization) constructor does not validate the 'size' parameter, allowing for negative values, for example. Use shared_empty on QByteArray(int, Qt::Initialization) for future compatibility. Change-Id: I25ba1918faa53eaaf3564c57cf28a27f93c42922 Reviewed-by: João Abecasis <joao.abecasis@nokia.com>
Diffstat (limited to 'src/corelib')
-rw-r--r--src/corelib/tools/qbytearray.cpp17
1 files changed, 11 insertions, 6 deletions
diff --git a/src/corelib/tools/qbytearray.cpp b/src/corelib/tools/qbytearray.cpp
index afa556d..6ccf8e3 100644
--- a/src/corelib/tools/qbytearray.cpp
+++ b/src/corelib/tools/qbytearray.cpp
@@ -1369,12 +1369,17 @@ QByteArray::QByteArray(int size, char ch)
QByteArray::QByteArray(int size, Qt::Initialization)
{
- d = static_cast<Data *>(qMalloc(sizeof(Data)+size));
- Q_CHECK_PTR(d);
- d->ref = 1;
- d->alloc = d->size = size;
- d->data = d->array;
- d->array[size] = '\0';
+ if (size <= 0) {
+ d = &shared_empty;
+ } else {
+ d = static_cast<Data *>(qMalloc(sizeof(Data)+size));
+ Q_CHECK_PTR(d);
+ d->ref = 0;
+ d->alloc = d->size = size;
+ d->data = d->array;
+ d->array[size] = '\0';
+ }
+ d->ref.ref();
}
/*!