qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at()

Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2025-5455-qtbase-5.15.patch
Last-Update: 2025-06-29

It is a precondition violation to call QByteArrayView::at() with
size() as argument. The code used that, though, as an implicit
end-of-string check, assuming == ' ' and == '=' would both fail for
null bytes. Besides, QByteArrays (but most certainly QByteArrayViews)
need not be null-terminated, so this could read even past size().

To fix, use higher-level API (startsWith()), consuming parsed tokens
along the way.

Gbp-Pq: Name CVE-2025-5455.diff

diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp
index 9cb1b9abd0adc6c5a81bacc2f355072710a42631..707bc358b984f5ad53b05bbc21b45003d7a084b2 100644 (file)
--- a/src/corelib/io/qdataurl.cpp
+++ b/src/corelib/io/qdataurl.cpp
@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray
         }
 
         if (data.toLower().startsWith("charset")) {
-            int i = 7;      // strlen("charset")
-            while (data.at(i) == ' ')
-                ++i;
-            if (data.at(i) == '=')
+            int prefixSize = 7; // strlen("charset")
+            QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize);
+            while (copy.startsWith(QLatin1String(" ")))
+                copy = copy.mid(1);
+            if (copy.startsWith(QLatin1String("=")))
                 data.prepend("text/plain;");
         }