diff options
| author | Sami Rosendahl <ext-sami.1.rosendahl@nokia.com> | 2012-01-17 11:41:20 (GMT) |
|---|---|---|
| committer | Qt by Nokia <qt-info@nokia.com> | 2012-01-25 12:29:00 (GMT) |
| commit | d1cd17713e6d0bd9c7a270ba675704ad244e2b13 (patch) | |
| tree | 9531b7bd9c8b50ba1c52a9f4c47a0711cb4e2b16 /src | |
| parent | 03905f771b23b1e6d33e6b42811b8b5e915c9d8f (diff) | |
| download | Qt-d1cd17713e6d0bd9c7a270ba675704ad244e2b13.zip Qt-d1cd17713e6d0bd9c7a270ba675704ad244e2b13.tar.gz Qt-d1cd17713e6d0bd9c7a270ba675704ad244e2b13.tar.bz2 | |
Fix crash in QDBusDemarshaller QStringList extraction
QDBusArgument QStringList extraction operator and QDBusDemarshaller that
implements the extraction do not check the type of the extracted value.
When extracting a QStringList and the value actually is e.g. an array of
bytes the string list extraction will crash as it interprets the bytes as
char pointers.
The fix adds DBus type checks to QDBusArgument QStringList extraction
operator implementations.
The checks are as permissive as possible provided crashes are avoided.
Task-number: QTBUG-22840
Change-Id: I83a98097a7cf36f8448afba81d0ad619cdf864e3
(From Qt5 commit b4398dc4e372dbe829b21423e1a0a93a6a542994)
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/dbus/qdbusargument_p.h | 1 | ||||
| -rw-r--r-- | src/dbus/qdbusdemarshaller.cpp | 13 |
2 files changed, 12 insertions, 2 deletions
diff --git a/src/dbus/qdbusargument_p.h b/src/dbus/qdbusargument_p.h index 36e9f2d..e977c99 100644 --- a/src/dbus/qdbusargument_p.h +++ b/src/dbus/qdbusargument_p.h @@ -212,6 +212,7 @@ private: QString toStringUnchecked(); QDBusObjectPath toObjectPathUnchecked(); QDBusSignature toSignatureUnchecked(); + QStringList toStringListUnchecked(); }; inline QDBusMarshaller *QDBusArgumentPrivate::marshaller() diff --git a/src/dbus/qdbusdemarshaller.cpp b/src/dbus/qdbusdemarshaller.cpp index 8769846..be19b00 100644 --- a/src/dbus/qdbusdemarshaller.cpp +++ b/src/dbus/qdbusdemarshaller.cpp @@ -274,7 +274,7 @@ QVariant QDBusDemarshaller::toVariantInternal() // QByteArray return toByteArray(); case DBUS_TYPE_STRING: - return toStringList(); + return toStringListUnchecked(); case DBUS_TYPE_DICT_ENTRY: return QVariant::fromValue(duplicate()); @@ -317,7 +317,7 @@ bool QDBusDemarshaller::isCurrentTypeStringLike() } } -QStringList QDBusDemarshaller::toStringList() +QStringList QDBusDemarshaller::toStringListUnchecked() { QStringList list; @@ -330,6 +330,15 @@ QStringList QDBusDemarshaller::toStringList() return list; } +QStringList QDBusDemarshaller::toStringList() +{ + if (q_dbus_message_iter_get_arg_type(&iterator) == DBUS_TYPE_ARRAY + && q_dbus_message_iter_get_element_type(&iterator) == DBUS_TYPE_STRING) + return toStringListUnchecked(); + else + return QStringList(); +} + QByteArray QDBusDemarshaller::toByteArray() { DBusMessageIter sub; |