The Punycode decoding in Qt seems to be missing overflow handling that allows different normalized URLs to be decoded to the same Unicode string without errors:
This should not be allowed:
This particular test case does not work anymore with https://codereview.qt-project.org/c/qt/qtbase/+/363213 applied, but the bug is still there:
The fix is slightly more complicated than adding the range check because of how the code is organized.
The following code was used to generate the test vectors: