Make QHeaderView restore state from different stream versions

If restoring a QHeaderView state from a data stream with version Qt_5_0,
check alignment and resize mode properites for out-of-bound values.

If out of bounds, try QDataStream version Qt_6_0, which is used by KDE
apps compiled with 5.15.2 or 6.2.3.

QFileDialog stores settings in the same settings file across different
Qt versions, using different QDataStream versions. That makes
QFileDialog vulnerable to the issue (QTBUG-104962). A respective auto
test is added with this patch.

Fixes: QTBUG-104962
Pick-to: 6.4 6.3 6.2
Task-number: QTBUG-104425
Change-Id: I666207fca7ab837ad27a247e504a40757ee8afab
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>

1 files changed, 28 insertions, 14 deletions

diff --git a/src/widgets/itemviews/qheaderview.cpp b/src/widgets/itemviews/qheaderview.cpp
index 413857bf6c..dfb60a91ec 100644
--- a/src/widgets/itemviews/qheaderview.cpp
+++ b/src/widgets/itemviews/qheaderview.cpp
@@ -1762,22 +1762,27 @@ bool QHeaderView::restoreState(const QByteArray &state)
     Q_D(QHeaderView);
     if (state.isEmpty())
         return false;
-    QByteArray data = state;
-    QDataStream stream(&data, QIODevice::ReadOnly);
-    stream.setVersion(QDataStream::Qt_5_0);
-    int marker;
-    int ver;
-    stream >> marker;
-    stream >> ver;
-    if (stream.status() != QDataStream::Ok
+
+    for (const auto dataStreamVersion : {QDataStream::Qt_5_0, QDataStream::Qt_6_0}) {
+
+        QByteArray data = state;
+        QDataStream stream(&data, QIODevice::ReadOnly);
+        stream.setVersion(dataStreamVersion);
+        int marker;
+        int ver;
+        stream >> marker;
+        stream >> ver;
+        if (stream.status() != QDataStream::Ok
         || marker != QHeaderViewPrivate::VersionMarker
-        || ver != 0) // current version is 0
-        return false;
+        || ver != 0) { // current version is 0
+            return false;
+        }
 
-    if (d->read(stream)) {
-        emit sortIndicatorChanged(d->sortIndicatorSection, d->sortIndicatorOrder );
-        d->viewport->update();
-        return true;
+        if (d->read(stream)) {
+            emit sortIndicatorChanged(d->sortIndicatorSection, d->sortIndicatorOrder );
+            d->viewport->update();
+            return true;
+        }
     }
     return false;
 }
@@ -4131,6 +4136,15 @@ bool QHeaderViewPrivate::read(QDataStream &in)
 
     in >> global;
 
+    // Check parameter consistency
+    // Global orientation out of bounds?
+    if (global < 0 || global > QHeaderView::ResizeToContents)
+        return false;
+
+    // Alignment out of bounds?
+    if (align < 0 || align > Qt::AlignVertical_Mask)
+        return false;
+
     in >> sectionItemsIn;
     // In Qt4 we had a vector of spans where one span could hold information on more sections.
     // Now we have an itemvector where one items contains information about one section