From b74f445dd9270212638e567230468835dc0a8be3 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Fri, 17 Dec 2021 09:08:45 +0100
Subject: QWebSocketProtocol: fix potential UB (signed overflow) in masking
 operation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The size of the payload is a 64-bit integer, which the loop counts
down. If the size is > INT_MAX, then we'll overflow the int i used to
track the current position in the mask.

Fix by using an unsigned integer type instead.

Change-Id: Ia3b8d42ae906eb03c1c7399cb1137a08121fcde3
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit 38218494a65049b5f9da7a8aab012a969c7dac86)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/websockets/qwebsocketprotocol.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/websockets/qwebsocketprotocol.cpp b/src/websockets/qwebsocketprotocol.cpp
index df87a93..d0465f1 100644
--- a/src/websockets/qwebsocketprotocol.cpp
+++ b/src/websockets/qwebsocketprotocol.cpp
@@ -210,7 +210,7 @@ void QWebSocketProtocol::mask(char *payload, quint64 size, quint32 maskingKey)
                             quint8((maskingKey & 0x0000FF00u) >> 8),
                             quint8((maskingKey & 0x000000FFu))
                           };
-    int i = 0;
+    quint64 i = 0;
     while (size-- > 0)
         *payload++ ^= mask[i++ % 4];
 }
-- 
cgit v1.2.1