From 2281a3a7a62a5a81de7fefaf0b84f130b16bd44f Mon Sep 17 00:00:00 2001
From: Olivier Goffart <olivier.goffart@nokia.com>
Date: Tue, 10 Aug 2010 10:54:26 +0200
Subject: QMetaObject::normalizeSignature  avoid reading past the string in
 case of invalid signature given.

If passed "a(b",  qNormalizeType would return a pointer to the \0 at the end
of the string. We would add \0 to the result (thinking it is ',' or ')' )
And continue to process the memory after the string.

Reviewed-by: Kent Hansen
Task-number: QT-1591
---
 src/corelib/kernel/qmetaobject.cpp         | 5 ++++-
 tests/auto/qmetaobject/tst_qmetaobject.cpp | 6 ++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/corelib/kernel/qmetaobject.cpp b/src/corelib/kernel/qmetaobject.cpp
index 79a38cd..9854e68 100644
--- a/src/corelib/kernel/qmetaobject.cpp
+++ b/src/corelib/kernel/qmetaobject.cpp
@@ -1009,8 +1009,11 @@ QByteArray QMetaObject::normalizedSignature(const char *method)
     int argdepth = 0;
     int templdepth = 0;
     while (*d) {
-        if (argdepth == 1)
+        if (argdepth == 1) {
             d = qNormalizeType(d, templdepth, result);
+            if (!*d) //most likely an invalid signature.
+                break;
+        }
         if (*d == '(')
             ++argdepth;
         if (*d == ')')
diff --git a/tests/auto/qmetaobject/tst_qmetaobject.cpp b/tests/auto/qmetaobject/tst_qmetaobject.cpp
index 62416b1..bb96da1 100644
--- a/tests/auto/qmetaobject/tst_qmetaobject.cpp
+++ b/tests/auto/qmetaobject/tst_qmetaobject.cpp
@@ -714,6 +714,8 @@ void tst_QMetaObject::normalizedSignature_data()
     QTest::newRow("const12") << "void foo(Foo<Bar>const*const *const)" << "void foo(Foo<Bar>*const*const)";
     QTest::newRow("const13") << "void foo(const Foo<Bar>&)" << "void foo(Foo<Bar>)";
     QTest::newRow("const14") << "void foo(Foo<Bar>const&)" << "void foo(Foo<Bar>)";
+
+    QTest::newRow("invalid1") << "a( b" << "a(b";
 }
 
 void tst_QMetaObject::normalizedSignature()
@@ -721,7 +723,7 @@ void tst_QMetaObject::normalizedSignature()
     QFETCH(QString, signature);
     QFETCH(QString, result);
 
-    QCOMPARE(QString::fromLatin1(QMetaObject::normalizedSignature(signature.toLatin1())), result);
+    QCOMPARE(QMetaObject::normalizedSignature(signature.toLatin1()), result.toLatin1());
 }
 
 void tst_QMetaObject::normalizedType_data()
@@ -759,7 +761,7 @@ void tst_QMetaObject::normalizedType()
     QFETCH(QString, type);
     QFETCH(QString, result);
 
-    QCOMPARE(QString::fromLatin1(QMetaObject::normalizedType(type.toLatin1())), result);
+    QCOMPARE(QMetaObject::normalizedType(type.toLatin1()), result.toLatin1());
 }
 
 void tst_QMetaObject::customPropertyType()
-- 
cgit v0.12