From 403b15488b3d687bc2830099f075a5ad12f0ef5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Str=C3=B8mme?= Date: Mon, 24 Sep 2012 12:38:44 +0200 Subject: [PATCH] Fix for integer overflow in QString::replace Task-number: QTBUG-22967 Change-Id: I604e6a725d46eab4c4369ebb54e8c9ea1350f492 Reviewed-by: Thiago Macieira --- src/corelib/tools/qstring.cpp | 6 +++++- tests/auto/corelib/tools/qstring/tst_qstring.cpp | 2 -- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/corelib/tools/qstring.cpp b/src/corelib/tools/qstring.cpp index 43c5c058f0..34a8cbe4c8 100644 --- a/src/corelib/tools/qstring.cpp +++ b/src/corelib/tools/qstring.cpp @@ -1752,6 +1752,10 @@ QString &QString::remove(QChar ch, Qt::CaseSensitivity cs) Replaces \a n characters beginning at index \a position with the string \a after and returns a reference to this string. + \note If the specified \a position index is within the string, + but \a position + \a n goes outside the strings range, + then \a n will be adjusted to stop at the end of the string. + Example: \snippet qstring/main.cpp 40 @@ -1775,7 +1779,7 @@ QString &QString::replace(int pos, int len, const QChar *unicode, int size) { if (pos < 0 || pos > d->size) return *this; - if (pos + len > d->size) + if (len > d->size - pos) len = d->size - pos; uint index = pos; diff --git a/tests/auto/corelib/tools/qstring/tst_qstring.cpp b/tests/auto/corelib/tools/qstring/tst_qstring.cpp index 2b00ec8c20..2bf8119b9e 100644 --- a/tests/auto/corelib/tools/qstring/tst_qstring.cpp +++ b/tests/auto/corelib/tools/qstring/tst_qstring.cpp @@ -2230,8 +2230,6 @@ void tst_QString::replace_uint_uint() QFETCH( int, len ); QFETCH( QString, after ); - QEXPECT_FAIL("overflow", "QTBUG-22967: integer overflow if (index + len) > INT_MAX", Abort); - QString s1 = string; s1.replace( (uint) index, (int) len, after ); QTEST( s1, "result" );