diff options
author | Marc Mutz <marc.mutz@qt.io> | 2021-12-17 09:08:45 +0100 |
---|---|---|
committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2021-12-17 11:17:34 +0000 |
commit | 6b31ac7bf9f556bfdfbb51a16b7dd9ca65096860 (patch) | |
tree | 2752ae394cc9667aa90218b889a75a9148d3b7a1 | |
parent | 9bfa05285b720fa79d4b80492903db129e3f3f1d (diff) | |
download | qtwebsockets-6b31ac7bf9f556bfdfbb51a16b7dd9ca65096860.tar.gz |
QWebSocketProtocol: fix potential UB (signed overflow) in masking operation
The size of the payload is a 64-bit integer, which the loop counts
down. If the size is > INT_MAX, then we'll overflow the int i used to
track the current position in the mask.
Fix by using an unsigned integer type instead.
Change-Id: Ia3b8d42ae906eb03c1c7399cb1137a08121fcde3
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit 38218494a65049b5f9da7a8aab012a969c7dac86)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
-rw-r--r-- | src/websockets/qwebsocketprotocol.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/websockets/qwebsocketprotocol.cpp b/src/websockets/qwebsocketprotocol.cpp index fc77632..319cc8f 100644 --- a/src/websockets/qwebsocketprotocol.cpp +++ b/src/websockets/qwebsocketprotocol.cpp @@ -210,7 +210,7 @@ void QWebSocketProtocol::mask(char *payload, quint64 size, quint32 maskingKey) quint8((maskingKey & 0x0000FF00u) >> 8), quint8((maskingKey & 0x000000FFu)) }; - int i = 0; + quint64 i = 0; while (size-- > 0) *payload++ ^= mask[i++ % 4]; } |