Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-34694

Integer overflow in QByteArray::remove leads to crash

    XMLWordPrintable

Details

    • 315ba388f32ad7943c226f2faba4e9b35e899dc9

    Description

      Documentation of QByteArray::remove: "If pos is valid, but pos + len is larger than the size of the array, the array is truncated at position pos."

      Code in QByteArray.cpp:1820

      if (pos + len >= d->size) ...

      Leads to an integer overflow if pos + len > INT_MAX, my usecase was: text.remove (2, INT_MAX).

      Fix:

      if (len >= d->size - pos) ...

      pos is not greater than d->size (checked some lines before).

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            thiago Thiago Macieira
            obonorden Olaf Bonorden
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes