aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarc Mutz <marc.mutz@kdab.com>2016-01-06 13:50:56 +0100
committerMarc Mutz <marc.mutz@kdab.com>2016-01-11 18:16:31 +0000
commit71ea41f999c1dbe83cba2491f5ac99d6c5a3d98c (patch)
tree8f89d4640941b93232216f942f5104d2a822004c
parentDon't pass NULL Display to glXGetClientString (diff)
downloadqtbase-71ea41f999c1dbe83cba2491f5ac99d6c5a3d98c.tar.xz
qtbase-71ea41f999c1dbe83cba2491f5ac99d6c5a3d98c.zip
Fix UB in QVariant::canConvert()
'currentType' was not sanitized before being used as a shift. Fix by checking for a valid shift amount before shifting. Also change the shifted value from 1 (int) to 1U (uint). It's just the right thing to do. Found by UBSan: qtbase/src/corelib/kernel/qvariant.cpp:3131:59: runtime error: shift exponent 1114 is too large for 32-bit type 'unsigned int' Change-Id: Id3910d6d7f166fd7c80adf5ce1699f0eeb453562 Reviewed-by: Jędrzej Nowacki <jedrzej.nowacki@theqtcompany.com> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat
-rw-r--r--src/corelib/kernel/qvariant.cpp9
1 files changed, 6 insertions, 3 deletions
diff --git a/src/corelib/kernel/qvariant.cpp b/src/corelib/kernel/qvariant.cpp
index f7a4abbf68..811483d74f 100644
--- a/src/corelib/kernel/qvariant.cpp
+++ b/src/corelib/kernel/qvariant.cpp
@@ -2891,6 +2891,7 @@ static const quint32 qCanConvertMatrix[QVariant::LastCoreType + 1] =
/*QUuid*/ 1 << QVariant::String
};
+static const size_t qCanConvertMatrixMaximumTargetType = 8 * sizeof(*qCanConvertMatrix);
#ifndef QT_BOOTSTRAPPED
/*!
@@ -3140,8 +3141,9 @@ bool QVariant::canConvert(int targetTypeId) const
case QMetaType::ULong:
case QMetaType::Short:
case QMetaType::UShort:
- return qCanConvertMatrix[QVariant::Int] & (1 << currentType)
- || currentType == QVariant::Int
+ return currentType == QVariant::Int
+ || (currentType < qCanConvertMatrixMaximumTargetType
+ && qCanConvertMatrix[QVariant::Int] & (1U << currentType))
|| QMetaType::typeFlags(currentType) & QMetaType::IsEnumeration;
case QMetaType::QObjectStar:
return canConvertMetaObject(currentType, targetTypeId, d.data.o);
@@ -3152,7 +3154,8 @@ bool QVariant::canConvert(int targetTypeId) const
if (targetTypeId == String && currentType == StringList)
return v_cast<QStringList>(&d)->count() == 1;
- return qCanConvertMatrix[targetTypeId] & (1 << currentType);
+ return currentType < qCanConvertMatrixMaximumTargetType
+ && qCanConvertMatrix[targetTypeId] & (1U << currentType);
}
/*!
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.