From: Debian Qt/KDE Maintainers Date: Sun, 29 Jun 2025 19:50:45 +0000 (+0300) Subject: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at() X-Git-Tag: archive/raspbian/5.15.15+dfsg-6+rpi1^2~12 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=a25a56d192cd5c2983d29eae41d5a5b8bf75da0c;p=qtbase-opensource-src.git qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at() Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2025-5455-qtbase-5.15.patch Last-Update: 2025-06-29 It is a precondition violation to call QByteArrayView::at() with size() as argument. The code used that, though, as an implicit end-of-string check, assuming == ' ' and == '=' would both fail for null bytes. Besides, QByteArrays (but most certainly QByteArrayViews) need not be null-terminated, so this could read even past size(). To fix, use higher-level API (startsWith()), consuming parsed tokens along the way. Gbp-Pq: Name CVE-2025-5455.diff --- diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp index 9cb1b9abd..707bc358b 100644 --- a/src/corelib/io/qdataurl.cpp +++ b/src/corelib/io/qdataurl.cpp @@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray } if (data.toLower().startsWith("charset")) { - int i = 7; // strlen("charset") - while (data.at(i) == ' ') - ++i; - if (data.at(i) == '=') + int prefixSize = 7; // strlen("charset") + QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize); + while (copy.startsWith(QLatin1String(" "))) + copy = copy.mid(1); + if (copy.startsWith(QLatin1String("="))) data.prepend("text/plain;"); }