Details
-
Bug
-
Resolution: Done
-
P2: Important
-
4.8.4, 4.8.5, 5.0.0, 5.1.0 , 5.2.0
-
None
-
Microsoft Visual C++ Compiler 10.0 (x86)
Windows 7 SP1
Qt 5.2.0
-
0d50efeae9829336ffb7e47692cfdc649e10ee70 (stable, 18.4.2014,5.3) Qt 4: c1d177d52cfffe61198cfa5ec76bae0c2f44a362 (4.8, 19.3.2014)
Description
Byte array size less than necessary:
QByteArray ba;
ba.resize(usr.length() + pass.length() + enc.length() + role.length() + 6); // 6 additional bytes was allocated (why only 6?)
int i = -1;
ba[++i] = isc_dpb_version1; // first
ba[++i] = isc_dpb_user_name; // second
ba[++i] = usr.length(); // third
memcpy(ba.data() + ++i, usr.data(), usr.length());
i += usr.length();
ba[i] = isc_dpb_password; // fourth
ba[++i] = pass.length(); // fifth
memcpy(ba.data() + ++i, pass.data(), pass.length());
i += pass.length();
ba[i] = isc_dpb_lc_ctype; // sixth
ba[++i] = enc.length(); // !!!!!! seventh
memcpy(ba.data() + ++i, enc.data(), enc.length());
i += enc.length();
if (!role.isEmpty())
{ ba[i] = isc_dpb_sql_role_name; // !!!!!!! ba[++i] = role.length(); // !!!!!!! memcpy(ba.data() + ++i, role.data(), role.length()); i += role.length(); }Attachments
For Gerrit Dashboard: QTBUG-37508 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
81181,1 | Fix QByteArray memory corruption in QIBaseDriver::open(). | stable | qt/qtbase | Status: MERGED | +2 | 0 |
81301,1 | Fix QByteArray memory corruption in QIBaseDriver::open(). | 4.8 | qt/qt | Status: MERGED | +2 | 0 |