feedc0de/qt-creator
1
0
Fork 0
forked from qt-creator/qt-creator
Code Pull Requests Activity

QmlDebug/QmlProfiler: Fix integer range checks

Browse Source 
The packet protocol should check if the number of bytes to be read is
positive.

The check in QmlTypedEvent is supposed to happen before we cast the
number to the more restrictive type. Furthermore, if subtype doesn't
fit the range constraint, we don't have to do anything at all as the
default rangeType is already set before.

Change-Id: I45006f8dd752787d59960948b222148d78509aba
Reviewed-by: Tobias Hunger <tobias.hunger@qt.io>
This commit is contained in:
Ulf Hermann
2018-06-06 14:50:55 +02:00
parent 909f30f006
commit 36d5d3acc1
2 changed files with 5 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/libs/qmldebug/qpacketprotocol.cpp
View File

@@ -29,8 +29,6 @@
namespace QmlDebug { namespace QmlDebug {
static const unsigned int MAX_PACKET_SIZE = 0x7FFFFFFF;
/*! /*!
\class QPacketProtocol \class QPacketProtocol
\internal \internal
@@ -98,8 +96,7 @@ class QPacketProtocolPrivate : public QObject
public: public:
QPacketProtocolPrivate(QPacketProtocol *parent, QIODevice *_dev) QPacketProtocolPrivate(QPacketProtocol *parent, QIODevice *_dev)
: QObject(parent), inProgressSize(-1), maxPacketSize(MAX_PACKET_SIZE), : QObject(parent), inProgressSize(-1), waitingForPacket(false), dev(_dev)
waitingForPacket(false), dev(_dev)
{ {
Q_ASSERT(4 == sizeof(qint32)); Q_ASSERT(4 == sizeof(qint32));
@@ -152,12 +149,12 @@ public:
return; return;
// Read size header // Read size header
int read = dev->read((char *)&inProgressSize, sizeof(qint32)); const qint64 read = dev->read((char *)&inProgressSize, sizeof(qint32));
Q_ASSERT(read == sizeof(qint32)); Q_ASSERT(read == sizeof(qint32));
Q_UNUSED(read); Q_UNUSED(read);
// Check sizing constraints // Check sizing constraints
if (inProgressSize > maxPacketSize) { if (inProgressSize < qint32(sizeof(qint32))) {
QObject::disconnect(dev, &QIODevice::readyRead, QObject::disconnect(dev, &QIODevice::readyRead,
this, &QPacketProtocolPrivate::readyToRead); this, &QPacketProtocolPrivate::readyToRead);
QObject::disconnect(dev, &QIODevice::aboutToClose, QObject::disconnect(dev, &QIODevice::aboutToClose,
@@ -191,7 +188,6 @@ public:
QList<QByteArray> packets; QList<QByteArray> packets;
QByteArray inProgress; QByteArray inProgress;
qint32 inProgressSize; qint32 inProgressSize;
qint32 maxPacketSize;
bool waitingForPacket; bool waitingForPacket;
QIODevice *dev; QIODevice *dev;
}; };

3
src/plugins/qmlprofiler/qmltypedevent.cpp
View File

@@ -42,9 +42,8 @@ QDataStream &operator>>(QDataStream &stream, QmlTypedEvent &event)
RangeType rangeType = MaximumRangeType; RangeType rangeType = MaximumRangeType;
if (!stream.atEnd()) { if (!stream.atEnd()) {
stream >> subtype; stream >> subtype;
if (subtype >= 0 && subtype < MaximumRangeType)
rangeType = static_cast<RangeType>(subtype); rangeType = static_cast<RangeType>(subtype);
if (rangeType < 0 || rangeType > MaximumRangeType)
rangeType = MaximumRangeType;
} else { } else {
subtype = -1; subtype = -1;
} }