From be3bd368485d373e63b3e4ff5c7db2da1d119feb Mon Sep 17 00:00:00 2001
From: Olivier Goffart <olivier.goffart@nokia.com>
Date: Tue, 28 Jun 2011 11:21:00 +0200
Subject: Fix invalid read in QUrl::removeAllEncodedQueryItems

The remove will detach the string making the query pointer invalid.

Note: the "test3" case is commented out because it does not remove
the & at the end, and i do not want to enforce this behaviour in the
test

Task-number: QTBUG-20065
Change-Id: I195c5c3b468f46c797c7c4f8075303f2b1f4724c
Reviewed-on: http://codereview.qt.nokia.com/822
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
(cherry picked from commit 2dd90a27a82289a5088b929c3bd27c1fd05967f6)

Conflicts:

	tests/auto/qurl/tst_qurl.cpp
---
 src/corelib/io/qurl.cpp      |  1 +
 tests/auto/qurl/tst_qurl.cpp | 28 +++++++++++++++++++++++++---
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/src/corelib/io/qurl.cpp b/src/corelib/io/qurl.cpp
index 8813656..d551009 100644
--- a/src/corelib/io/qurl.cpp
+++ b/src/corelib/io/qurl.cpp
@@ -5466,6 +5466,7 @@ void QUrl::removeAllEncodedQueryItems(const QByteArray &key)
             if (end < d->query.size())
                 ++end; // remove additional '%'
             d->query.remove(pos, end - pos);
+            query = d->query.constData(); //required if remove detach;
         } else {
             pos = end + 1;
         }
diff --git a/tests/auto/qurl/tst_qurl.cpp b/tests/auto/qurl/tst_qurl.cpp
index b78679b..2fa193a 100644
--- a/tests/auto/qurl/tst_qurl.cpp
+++ b/tests/auto/qurl/tst_qurl.cpp
@@ -201,10 +201,9 @@ private slots:
     void task_240612();
     void taskQTBUG_6962();
     void taskQTBUG_8701();
+    void removeAllEncodedQueryItems_data();
+    void removeAllEncodedQueryItems();
 
-#ifdef QT3_SUPPORT
-    void dirPath();
-#endif
 };
 
 // Testing get/set functions
@@ -4031,5 +4030,28 @@ void tst_QUrl::effectiveTLDs()
     QCOMPARE(domain.topLevelDomain(), TLD);
 }
 
+void tst_QUrl::removeAllEncodedQueryItems_data()
+{
+    QTest::addColumn<QUrl>("url");
+    QTest::addColumn<QByteArray>("key");
+    QTest::addColumn<QUrl>("result");
+
+    QTest::newRow("test1") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&bbb=b&ccc=c") << QByteArray("bbb") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&ccc=c");
+    QTest::newRow("test2") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&bbb=b&ccc=c") << QByteArray("aaa") << QUrl::fromEncoded("http://qt.nokia.com/foo?bbb=b&ccc=c");
+//    QTest::newRow("test3") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&bbb=b&ccc=c") << QByteArray("ccc") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&bbb=b");
+    QTest::newRow("test4") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&bbb=b&ccc=c") << QByteArray("b%62b") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&bbb=b&ccc=c");
+    QTest::newRow("test5") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&b%62b=b&ccc=c") << QByteArray("b%62b") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&ccc=c");
+    QTest::newRow("test6") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&b%62b=b&ccc=c") << QByteArray("bbb") << QUrl::fromEncoded("http://qt.nokia.com/foo?aaa=a&b%62b=b&ccc=c");
+}
+
+void tst_QUrl::removeAllEncodedQueryItems()
+{
+    QFETCH(QUrl, url);
+    QFETCH(QByteArray, key);
+    QFETCH(QUrl, result);
+    url.removeAllEncodedQueryItems(key);
+    QCOMPARE(url, result);
+}
+
 QTEST_MAIN(tst_QUrl)
 #include "tst_qurl.moc"
-- 
cgit v0.12