From 27fe0f93f961e78b71cd0b729a0e324b847ec023 Mon Sep 17 00:00:00 2001
From: Olivier Goffart <olivier.goffart@nokia.com>
Date: Wed, 10 Nov 2010 17:02:02 +0100
Subject: Fix crash in tst_QByteArray::qUncompress

On 64-bit systems, len + sizeof(QByteArray::Data) could overflow and become 0
In this case, qRealloc could succeed and return 0, leading to a double free.

Reviewed-by: Joao
---
 src/corelib/tools/qbytearray.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/corelib/tools/qbytearray.cpp b/src/corelib/tools/qbytearray.cpp
index dc2e8e9..68789d9 100644
--- a/src/corelib/tools/qbytearray.cpp
+++ b/src/corelib/tools/qbytearray.cpp
@@ -541,6 +541,11 @@ QByteArray qUncompress(const uchar* data, int nbytes)
 
     forever {
         ulong alloc = len;
+        if (len  >= (2 << 31) - sizeof(QByteArray::Data)) {
+            //QByteArray does not support that huge size anyway.
+            qWarning("qUncompress: Input data is corrupted");
+            return QByteArray();
+        }
         QByteArray::Data *p = static_cast<QByteArray::Data *>(qRealloc(d.data(), sizeof(QByteArray::Data) + alloc));
         if (!p) {
             // we are not allowed to crash here when compiling with QT_NO_EXCEPTIONS
@@ -556,6 +561,11 @@ QByteArray qUncompress(const uchar* data, int nbytes)
         switch (res) {
         case Z_OK:
             if (len != alloc) {
+                if (len  >= (2 << 31) - sizeof(QByteArray::Data)) {
+                    //QByteArray does not support that huge size anyway.
+                    qWarning("qUncompress: Input data is corrupted");
+                    return QByteArray();
+                }
                 QByteArray::Data *p = static_cast<QByteArray::Data *>(qRealloc(d.data(), sizeof(QByteArray::Data) + len));
                 if (!p) {
                     // we are not allowed to crash here when compiling with QT_NO_EXCEPTIONS
-- 
cgit v0.12