Validate size of the input in QJsonDocument::fromBinaryData

Change-Id: Ifc1d11b4dfbbe782d4e153118059c9affb833fa4 Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
2012-03-29 14:56:52 +02:00 · 2012-03-29 14:56:52 +02:00 · aeb1824a84
commit aeb1824a84
parent 698b33fcce
1 changed files with 4 additions and 2 deletions
--- a/src/corelib/json/qjsondocument.cpp
+++ b/src/corelib/json/qjsondocument.cpp
@ -224,14 +224,16 @@ const char *QJsonDocument::rawData(int *size) const
 */
 QJsonDocument QJsonDocument::fromBinaryData(const QByteArray &data, DataValidation validation)
 {
+    if (data.size() < (int)(sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base)))
+        return QJsonDocument();
+
    QJsonPrivate::Header h;
    memcpy(&h, data.constData(), sizeof(QJsonPrivate::Header));
    QJsonPrivate::Base root;
    memcpy(&root, data.constData() + sizeof(QJsonPrivate::Header), sizeof(QJsonPrivate::Base));

    // do basic checks here, so we don't try to allocate more memory than we can.
-    if (data.size() < (int)(sizeof(QJsonPrivate::Header) + sizeof(QJsonPrivate::Base)) ||
-        h.tag != QJsonDocument::BinaryFormatTag || h.version != 1u ||
+    if (h.tag != QJsonDocument::BinaryFormatTag || h.version != 1u ||
        sizeof(QJsonPrivate::Header) + root.size > (uint)data.size())
        return QJsonDocument();