From 9d44645eae144fcfefa0de2455d41f04d29c40d4 Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@digia.com>
Date: Fri, 19 Sep 2014 14:06:11 +0200
Subject: [PATCH] Do Q_CHECK_PTR on all results of QArrayData::allocate()

QArrayData::allocate() uses malloc() which can return 0. We need to
check for that when using it inside other containers. The containers
might otherwise return a seemingly valid result from some allocating
operation which is actually corrupt.

Task-number: QTBUG-41231
Change-Id: I16cc6035e4f495f519bd38bf29cee080ee0637f6
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
---
 src/corelib/tools/qarraydatapointer.h | 6 ++++--
 src/corelib/tools/qvector.h           | 5 +++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/corelib/tools/qarraydatapointer.h b/src/corelib/tools/qarraydatapointer.h
index f2cd3ec983..aef38bc20b 100644
--- a/src/corelib/tools/qarraydatapointer.h
+++ b/src/corelib/tools/qarraydatapointer.h
@@ -169,8 +169,10 @@ public:
 private:
     Data *clone(QArrayData::AllocationOptions options) const Q_REQUIRED_RESULT
     {
-        QArrayDataPointer copy(Data::allocate(d->detachCapacity(d->size),
-                    options));
+        Data *x = Data::allocate(d->detachCapacity(d->size), options);
+        Q_CHECK_PTR(x);
+        QArrayDataPointer copy(x);
+
         if (d->size)
             copy->copyAppend(d->begin(), d->end());
 
diff --git a/src/corelib/tools/qvector.h b/src/corelib/tools/qvector.h
index bfc7f2380f..9c8d9d4cf8 100644
--- a/src/corelib/tools/qvector.h
+++ b/src/corelib/tools/qvector.h
@@ -327,9 +327,11 @@ inline QVector<T>::QVector(const QVector<T> &v)
     } else {
         if (v.d->capacityReserved) {
             d = Data::allocate(v.d->alloc);
+            Q_CHECK_PTR(d);
             d->capacityReserved = true;
         } else {
             d = Data::allocate(v.d->size);
+            Q_CHECK_PTR(d);
         }
         if (d->alloc) {
             copyConstruct(v.d->begin(), v.d->end(), d->begin());
@@ -439,6 +441,7 @@ QVector<T>::QVector(int asize)
     Q_ASSERT_X(asize >= 0, "QVector::QVector", "Size must be greater than or equal to 0.");
     if (Q_LIKELY(asize > 0)) {
         d = Data::allocate(asize);
+        Q_CHECK_PTR(d);
         d->size = asize;
         defaultConstruct(d->begin(), d->end());
     } else {
@@ -452,6 +455,7 @@ QVector<T>::QVector(int asize, const T &t)
     Q_ASSERT_X(asize >= 0, "QVector::QVector", "Size must be greater than or equal to 0.");
     if (asize > 0) {
         d = Data::allocate(asize);
+        Q_CHECK_PTR(d);
         d->size = asize;
         T* i = d->end();
         while (i != d->begin())
@@ -467,6 +471,7 @@ QVector<T>::QVector(std::initializer_list<T> args)
 {
     if (args.size() > 0) {
         d = Data::allocate(args.size());
+        Q_CHECK_PTR(d);
         // std::initializer_list<T>::iterator is guaranteed to be
         // const T* ([support.initlist]/1), so can be memcpy'ed away from by copyConstruct
         copyConstruct(args.begin(), args.end(), d->begin());