Commit Graph

9 Commits

Author SHA1 Message Date
Jüri Valdmann
f43e947dc4 QJsonDocument: Make emptyObject an object
A default-constructed QJsonObject has no data payload, it is only a pair of null
pointers. So, when it becomes necessary to 'materialize' such an object, a
special global emptyObject constant is used as the substitute payload. There is
a small problem with this global constant though, namely that it's is_object
flag is unset. In other words, the emptyObject is not an object, but an array.

Fix by setting the is_object flag on emptyObject.

The example code in the bug report

    QJsonObject parent;
    QJsonObject child;
    parent["child"] = child;              // 1
    child = parent["child"].toObject();   // 2
    child["test"] = "test";               // 3

runs into this problem on line 1. Inserting the default-constructed child means
inserting a copy of emptyObject. On line 2 a pointer to this copy of emptyObject
is retrieved and cast to an object. But it's not an object, it's an array, so
things go wrong hereafter.

Specifically, on line 3, two inserts are performed, one from operator[] and one
from operator=. Each insert increments a compaction counter. The second insert
triggers compaction (QJsonObject::insert calls Value::requiredStorage calls
Data::compact) and compaction branches based on the is_object flag. Replacing
line 3 with

    child.insert("test", "test");

causes the example to appear to work since compaction is not triggered and the
JSON serializer does not look at the is_object flag. Still, any further insert()
calls would trigger compaction and memory corruption.

Task-number: QTBUG-69626
Change-Id: I8bd5174dce95998bac479c4b4ffea70bca1a4d04
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
2018-07-31 09:33:42 +00:00
Jüri Valdmann
8e47474baf QJsonDocument: Avoid overflow of string lengths
The added test case contains the binary JSON equivalent of

    ["ž"]

with the modification that the string's length has been set to INT_MAX. In
Value::usedStorage this length is used through the pointer d like so

    s = sizeof(int) + sizeof(ushort) * qFromLittleEndian(*(int *)d);

Because 2 * INT_MAX is UINT_MAX-1, the expression as a whole evaluates to 2,
which is considered a valid storage size. However, when converting this binary
JSON into ordinary JSON we will attempt to construct a QString of length
INT_MAX.

Fixed by using String::isValid instead of Value::usedStorage. This method
already takes care to avoid the overflow problem. Additionally, I've tried in
this patch to clarify the behavior of Value::isValid a bit by writing it in a
style that is hopefully more amenable to structural induction.

Finally, the test case added in my previous patch had the wrong file extension
and is renamed in this one.

Task-number: QTBUG-61969
Change-Id: I45d891f2467a71d8d105822ef7eb1a73c3efa67a
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2018-05-14 10:52:47 +00:00
Jüri Valdmann
93e0ff037e QJsonDocument: Validate also zero-length objects
The added test case is the binary JSON equivalent of

    {"a":{"š":null}}

with two modifications. First, the length of the string "š" has been corrupted
to 0xFFFFFF00. Second and more import, the Base::size field of the inner object
has been reset to 0.

On its own the first modification would normally trigger a validation error.
However, due to the second modification the Value::usedStorage for the inner
object evaluates to 0, completely disabling all further validation of the
object's contents.

Attempting to convert this binary JSON into standard JSON will lead to the JSON
writer trying to construct a QString of length 0xFFFFFF00.

Fixed by validating also objects with usedStorage == 0.

Task-number: QTBUG-61969
Change-Id: I5e59383674dec9be89361759572c0d91d4e16e01
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2018-05-04 12:04:05 +00:00
Jüri Valdmann
3fc5500b4f QJsonDocument: Reject objects containing themselves in binary JSON
The added test case is a binary JSON file describing an array which contains
itself. This file passes validation even though attempting to convert it to
plain JSON leads to an infinite loop. Fixed by rejecting it in validation.

Task-number: QTBUG-61969
Change-Id: Ib4472e9777d09840c30c384b24294e4744b02045
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
2018-05-04 12:03:57 +00:00
Jüri Valdmann
d3935cbd71 QJsonDocument::fromRawData: Fix out-of-bounds access
This method takes a pointer+size pair, but begins reading through the pointer
without first checking the size parameter. Fixed by checking the size parameter.

A new test case is added with an empty binary json file. Although the test does
not fail under normal conditions, the problem can be detected using valgrind or
AddressSanitizer.

Task-number: QTBUG-61969
Change-Id: Ie91cc9a56dbc3c676472c614d4e633d7721b8481
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2018-05-04 11:53:03 +00:00
Thiago Macieira
4e02c8d5b8 JSON: remove braces from UUID text representations
[ChangeLog][QtCore][QJsonValue] fromVariant() conversion now converts
from QUrl and QUuid using special encoding forms to ensure best JSON
compatibility.

Change-Id: I56b444f9d6274221a3b7fffd150cdc5ca1f87ff1
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
2018-03-02 04:06:33 +00:00
Thiago Macieira
a2ffb35ac2 QJsonValue: use the fully-encoded form of a URL in fromVariant()
For compatibility with other parsers that may expect it to be so.

Change-Id: I56b444f9d6274221a3b7fffd150cd66390f98fd5
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
2018-03-02 04:06:24 +00:00
Liang Qi
305dd1b61f Merge remote-tracking branch 'origin/5.9' into 5.11
Conflicts:
	.qmake.conf
	src/corelib/animation/qvariantanimation.cpp
	src/corelib/global/qglobal.cpp
	src/corelib/global/qlogging.cpp
	src/corelib/io/qprocess_win.cpp
	src/corelib/json/qjsonarray.cpp
	src/corelib/tools/qsimd_p.h
	src/corelib/tools/qtimezoneprivate_p.h
	src/corelib/xml/qxmlstream_p.h
	src/gui/kernel/qsimpledrag.cpp
	src/gui/kernel/qsimpledrag_p.h
	src/plugins/generic/generic.pro
	src/plugins/platforms/cocoa/qcocoamenu.mm
	src/widgets/styles/qmacstyle_mac.mm
	tests/auto/concurrent/qtconcurrentmap/BLACKLIST
	tests/auto/corelib/io/qfileinfo/tst_qfileinfo.cpp
	tests/auto/corelib/tools/qdatetime/tst_qdatetime.cpp
	tests/auto/gui/kernel/qwindow/BLACKLIST
	tests/auto/widgets/dialogs/qmessagebox/BLACKLIST

Change-Id: I508d686cf20f7f8cc6a7119b9bc7c3bbb505c58e
2018-02-14 12:51:24 +01:00
Thiago Macieira
a6b697ca13 Create corelib/serialization and move existing file formats into it
This is in preparation to adding CBOR support. We don't need yet another
dir for CBOR and placing it in src/corelib/json is just wrong.

Change-Id: I9741f017961b410c910dfffd14ffb9d870340fa6
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
2018-01-26 20:59:50 +00:00