AuroraMiddleware/qt5base-lts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QByteArray: fix UB (precondition violation) in replace()

Browse Source 
If after.isNull(), then we called memcpy with a nullptr, which is UB,
even if the size is zero, too.

memmove() has the same precondition.

Fix by guarding the memcpy() call with an explicit length check.

The Qt 5.15 code is sufficiently different to not attempt to pick
there.

Pick-to: 6.3 6.2
Change-Id: I86a2f00ede6ca8fab8d4222f84dccf375c4a2194
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
This commit is contained in:
Marc Mutz 2021-12-16 10:00:47 +01:00
parent 0c39e5c76d
commit c31fecd27f
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/corelib/text/qbytearray.cpp
View File

@ -2169,8 +2169,10 @@ QByteArray &QByteArray::replace(qsizetype pos, qsizetype len, QByteArrayView aft
return replace(pos, len, QByteArrayView{copy});
}
if (len == after.size() && (pos + len <= size())) {
// same size: in-place replacement possible
detach();
memcpy(d.data() + pos, after.data(), len*sizeof(char));
if (len > 0)
memcpy(d.data() + pos, after.data(), len*sizeof(char));
return *this;
} else {
// ### optimize me