diff options
author | Marc Mutz <marc.mutz@qt.io> | 2021-12-17 09:08:45 +0100 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-12-17 11:02:34 +0000 |
commit | b74f445dd9270212638e567230468835dc0a8be3 (patch) | |
tree | c8918bb6cd714a5ebeaf5922150ca018b15b8d93 | |
parent | 72bbef8b0eec3aff9d58ae83e2afef9ec0758fb7 (diff) | |
download | qtwebsockets-b74f445dd9270212638e567230468835dc0a8be3.tar.gz |
QWebSocketProtocol: fix potential UB (signed overflow) in masking operation
The size of the payload is a 64-bit integer, which the loop counts
down. If the size is > INT_MAX, then we'll overflow the int i used to
track the current position in the mask.
Fix by using an unsigned integer type instead.
Change-Id: Ia3b8d42ae906eb03c1c7399cb1137a08121fcde3
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit 38218494a65049b5f9da7a8aab012a969c7dac86)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/websockets/qwebsocketprotocol.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/websockets/qwebsocketprotocol.cpp b/src/websockets/qwebsocketprotocol.cpp index df87a93..d0465f1 100644 --- a/src/websockets/qwebsocketprotocol.cpp +++ b/src/websockets/qwebsocketprotocol.cpp @@ -210,7 +210,7 @@ void QWebSocketProtocol::mask(char *payload, quint64 size, quint32 maskingKey) quint8((maskingKey & 0x0000FF00u) >> 8), quint8((maskingKey & 0x000000FFu)) }; - int i = 0; + quint64 i = 0; while (size-- > 0) *payload++ ^= mask[i++ % 4]; } |