From 3fc5500b4f2a8431ac013520e9faf606e893b39a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCri=20Valdmann?= Date: Thu, 3 May 2018 13:39:36 +0200 Subject: [PATCH] QJsonDocument: Reject objects containing themselves in binary JSON The added test case is a binary JSON file describing an array which contains itself. This file passes validation even though attempting to convert it to plain JSON leads to an infinite loop. Fixed by rejecting it in validation. Task-number: QTBUG-61969 Change-Id: Ib4472e9777d09840c30c384b24294e4744b02045 Reviewed-by: Lars Knoll --- src/corelib/serialization/qjson.cpp | 6 +++--- .../serialization/json/invalidBinaryData/39.bjson | Bin 0 -> 24 bytes 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 tests/auto/corelib/serialization/json/invalidBinaryData/39.bjson diff --git a/src/corelib/serialization/qjson.cpp b/src/corelib/serialization/qjson.cpp index e4bca3bcd0..c5e9eb70e1 100644 --- a/src/corelib/serialization/qjson.cpp +++ b/src/corelib/serialization/qjson.cpp @@ -328,7 +328,7 @@ int Value::usedStorage(const Base *b) const bool Value::isValid(const Base *b) const { - int offset = 0; + int offset = -1; switch (type) { case QJsonValue::Double: if (latinOrIntValue) @@ -345,9 +345,9 @@ bool Value::isValid(const Base *b) const break; } - if (!offset) + if (offset == -1) return true; - if (offset + sizeof(uint) > b->tableOffset) + if (offset + sizeof(uint) > b->tableOffset || offset < (int)sizeof(Base)) return false; int s = usedStorage(b); diff --git a/tests/auto/corelib/serialization/json/invalidBinaryData/39.bjson b/tests/auto/corelib/serialization/json/invalidBinaryData/39.bjson new file mode 100644 index 0000000000000000000000000000000000000000..c6025aa9eb022f6582951aa4178e937fa8754705 GIT binary patch literal 24 ZcmXR+$|`1LU|