From a903d59b9a353d10862dd975db11b1b3d132bdf5 Mon Sep 17 00:00:00 2001
From: Nick Ratelle <nratelle@qnx.com>
Date: Fri, 6 Jan 2012 12:09:54 -0500
Subject: Fixes a possible out-of-bound write in QByteArray.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The QByteArray::QByteArray(int size, Qt::Initialization) constructor does not
validate the 'size' parameter, allowing for negative values, for example.

Use shared_empty on QByteArray(int, Qt::Initialization) for future compatibility.

Change-Id: I25ba1918faa53eaaf3564c57cf28a27f93c42922
Reviewed-by: João Abecasis <joao.abecasis@nokia.com>
---
 src/corelib/tools/qbytearray.cpp | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/corelib/tools/qbytearray.cpp b/src/corelib/tools/qbytearray.cpp
index afa556d..6ccf8e3 100644
--- a/src/corelib/tools/qbytearray.cpp
+++ b/src/corelib/tools/qbytearray.cpp
@@ -1369,12 +1369,17 @@ QByteArray::QByteArray(int size, char ch)
 
 QByteArray::QByteArray(int size, Qt::Initialization)
 {
-    d = static_cast<Data *>(qMalloc(sizeof(Data)+size));
-    Q_CHECK_PTR(d);
-    d->ref = 1;
-    d->alloc = d->size = size;
-    d->data = d->array;
-    d->array[size] = '\0';
+    if (size <= 0) {
+        d = &shared_empty;
+    } else {
+        d = static_cast<Data *>(qMalloc(sizeof(Data)+size));
+        Q_CHECK_PTR(d);
+        d->ref = 0;
+        d->alloc = d->size = size;
+        d->data = d->array;
+        d->array[size] = '\0';
+    }
+    d->ref.ref();
 }
 
 /*!
-- 
cgit v0.12