qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at()

Origin: upstream, https://download.qt.io/official_releases/qt/6.8/CVE-2025-5455-qtbase-6.8.patch
Last-Update: 2025-06-29

It is a precondition violation to call QByteArrayView::at() with
size() as argument. The code used that, though, as an implicit
end-of-string check, assuming == ' ' and == '=' would both fail for
null bytes. Besides, QByteArrays (but most certainly QByteArrayViews)
need not be null-terminated, so this could read even past size().

To fix, use higher-level API (startsWith()), consuming parsed tokens
along the way.

Gbp-Pq: Name upstream_cve-2025-5455_fix_data_assertion_error.diff

diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp
index 65b934b3f67f72437de9593e36e7d14cbf46f266..c5ecca8fb826ec999b2266381e08b6e7014e7b1f 100644 (file)
--- a/src/corelib/io/qdataurl.cpp
+++ b/src/corelib/io/qdataurl.cpp
@@ -47,10 +47,10 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray
         QLatin1StringView textPlain;
         constexpr auto charset = "charset"_L1;
         if (QLatin1StringView{data}.startsWith(charset, Qt::CaseInsensitive)) {
-            qsizetype i = charset.size();
-            while (data.at(i) == ' ')
-                ++i;
-            if (data.at(i) == '=')
+            QByteArrayView copy = data.sliced(charset.size());
+            while (copy.startsWith(' '))
+                copy.slice(1);
+            if (copy.startsWith('='))
                 textPlain = "text/plain;"_L1;
         }