QWebSocketProtocol: fix potential UB (signed overflow) in masking operation

The size of the payload is a 64-bit integer, which the loop counts down. If the size is > INT_MAX, then we'll overflow the int i used to track the current position in the mask. Fix by using an unsigned integer type instead. Change-Id: Ia3b8d42ae906eb03c1c7399cb1137a08121fcde3 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> (cherry picked from commit 38218494a65049b5f9da7a8aab012a969c7dac86) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Marc Mutz <marc.mutz@qt.io> 2021-12-17 09:08:45 +0100
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2021-12-17 11:02:34 +0000
commit: b74f445dd9270212638e567230468835dc0a8be3 (patch)
tree: c8918bb6cd714a5ebeaf5922150ca018b15b8d93
parent: 72bbef8b0eec3aff9d58ae83e2afef9ec0758fb7 (diff)
download: qtwebsockets-b74f445dd9270212638e567230468835dc0a8be3.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/websockets/qwebsocketprotocol.cpp b/src/websockets/qwebsocketprotocol.cpp
index df87a93..d0465f1 100644
--- a/src/websockets/qwebsocketprotocol.cpp
+++ b/src/websockets/qwebsocketprotocol.cpp
@@ -210,7 +210,7 @@ void QWebSocketProtocol::mask(char *payload, quint64 size, quint32 maskingKey)
                             quint8((maskingKey & 0x0000FF00u) >> 8),
                             quint8((maskingKey & 0x000000FFu))
                           };
-    int i = 0;
+    quint64 i = 0;
     while (size-- > 0)
         *payload++ ^= mask[i++ % 4];
 }
author	Marc Mutz <marc.mutz@qt.io>	2021-12-17 09:08:45 +0100
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2021-12-17 11:02:34 +0000
commit	b74f445dd9270212638e567230468835dc0a8be3 (patch)
tree	c8918bb6cd714a5ebeaf5922150ca018b15b8d93
parent	72bbef8b0eec3aff9d58ae83e2afef9ec0758fb7 (diff)
download	qtwebsockets-b74f445dd9270212638e567230468835dc0a8be3.tar.gz