The added test case contains the binary JSON equivalent of
["ž"]
with the modification that the string's length has been set to INT_MAX. In
Value::usedStorage this length is used through the pointer d like so
s = sizeof(int) + sizeof(ushort) * qFromLittleEndian(*(int *)d);
Because 2 * INT_MAX is UINT_MAX-1, the expression as a whole evaluates to 2,
which is considered a valid storage size. However, when converting this binary
JSON into ordinary JSON we will attempt to construct a QString of length
INT_MAX.
Fixed by using String::isValid instead of Value::usedStorage. This method
already takes care to avoid the overflow problem. Additionally, I've tried in
this patch to clarify the behavior of Value::isValid a bit by writing it in a
style that is hopefully more amenable to structural induction.
Finally, the test case added in my previous patch had the wrong file extension
and is renamed in this one.
Task-number: QTBUG-61969
Change-Id: I45d891f2467a71d8d105822ef7eb1a73c3efa67a
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
The added test case is the binary JSON equivalent of
{"a":{"š":null}}
with two modifications. First, the length of the string "š" has been corrupted
to 0xFFFFFF00. Second and more import, the Base::size field of the inner object
has been reset to 0.
On its own the first modification would normally trigger a validation error.
However, due to the second modification the Value::usedStorage for the inner
object evaluates to 0, completely disabling all further validation of the
object's contents.
Attempting to convert this binary JSON into standard JSON will lead to the JSON
writer trying to construct a QString of length 0xFFFFFF00.
Fixed by validating also objects with usedStorage == 0.
Task-number: QTBUG-61969
Change-Id: I5e59383674dec9be89361759572c0d91d4e16e01
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
The added test case is a binary JSON file describing an array which contains
itself. This file passes validation even though attempting to convert it to
plain JSON leads to an infinite loop. Fixed by rejecting it in validation.
Task-number: QTBUG-61969
Change-Id: Ib4472e9777d09840c30c384b24294e4744b02045
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
This method takes a pointer+size pair, but begins reading through the pointer
without first checking the size parameter. Fixed by checking the size parameter.
A new test case is added with an empty binary json file. Although the test does
not fail under normal conditions, the problem can be detected using valgrind or
AddressSanitizer.
Task-number: QTBUG-61969
Change-Id: Ie91cc9a56dbc3c676472c614d4e633d7721b8481
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
[ChangeLog][QtCore][QJsonValue] fromVariant() conversion now converts
from QUrl and QUuid using special encoding forms to ensure best JSON
compatibility.
Change-Id: I56b444f9d6274221a3b7fffd150cdc5ca1f87ff1
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
For compatibility with other parsers that may expect it to be so.
Change-Id: I56b444f9d6274221a3b7fffd150cd66390f98fd5
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
This is in preparation to adding CBOR support. We don't need yet another
dir for CBOR and placing it in src/corelib/json is just wrong.
Change-Id: I9741f017961b410c910dfffd14ffb9d870340fa6
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
