Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
QSR 2.0, QSR 2.1
-
None
-
721012206 (tqtc/lts-6.5), 62daf0f8d (tqtc/lts-6.5.6)
Description
In the length boundary check, there should be +1 so that the null terminator is calculated into the length value.
void QSafeTextLayout::setText(const qchar * const textArg) { const size_t length = safe_strlen(textArg); memset(&m_text[0U], 0, sizeof(m_text)); if (Constraints::MAX_LEN_OF_TEXT < length) { throw QSafeTextLayoutException(QSafeTextLayoutException::InvalidText, "Text is too long"); } else if (length > 0U) { // AXIVION Next Line MisraC++-5.2.12: Unavoidable array to pointer decay. Manually verified to be ok. strncpy(m_text, textArg, length); } else { //Empty string }}
Also, in safe_strlen, it would be safer to have to use to give the max len as a parameter (currently, it is relying on the null terminator only):
size_t safe_strlen(const qchar *const strArg, size_t maxLen) { quint32 len = 0U; if (strArg != NULL) { while (strArg[len] != '\0' && len < maxLen) { ++len; } } return len; }
Attachments
| For Gerrit Dashboard: QSR-2497 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 587740,2 | Fix QSafeTextLayout::setText boundary check | tqtc/lts-6.5 | tqtc-boot2qt/qtsaferenderer-runtime | Status: MERGED | +2 | +1 |
| 588683,2 | Fix QSafeTextLayout::setText boundary check | tqtc/lts-6.5.6 | tqtc-boot2qt/qtsaferenderer-runtime | Status: MERGED | +2 | 0 |