From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Date: Mon, 24 Mar 2025 12:42:48 +0000 (+0300)
Subject: HPack: fix incorrect integer overflow check
X-Git-Tag: archive/raspbian/5.15.15+dfsg-5+rpi1^2~19
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=ef5dcaadc1f00b96952dc832f58396e257455117;p=qtbase-opensource-src.git

HPack: fix incorrect integer overflow check

Origin: upstream
 https://download.qt.io/official_releases/qt/5.15/0001-CVE-2023-51714-qtbase-5.15.diff
 https://download.qt.io/official_releases/qt/5.15/0002-CVE-2023-51714-qtbase-5.15.diff
Last-Update: 2024-01-13


Gbp-Pq: Name CVE-2023-51714.diff
---

diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
index fddb5feca..315f3e234 100644
--- a/src/network/access/http2/hpacktable.cpp
+++ b/src/network/access/http2/hpacktable.cpp
@@ -40,6 +40,7 @@
 #include "hpacktable_p.h"
 
 #include <QtCore/qdebug.h>
+#include <QtCore/private/qnumeric_p.h>
 
 #include <algorithm>
 #include <cstddef>
@@ -62,8 +63,10 @@ HeaderSize entry_size(const QByteArray &name, const QByteArray &value)
     // for counting the number of references to the name and value would have
     // 32 octets of overhead."
 
-    const unsigned sum = unsigned(name.size() + value.size());
-    if (std::numeric_limits<unsigned>::max() - 32 < sum)
+    size_t sum;
+    if (add_overflow(size_t(name.size()), size_t(value.size()), &sum))
+        return HeaderSize();
+    if (sum > (std::numeric_limits<unsigned>::max() - 32))
         return HeaderSize();
     return HeaderSize(true, quint32(sum + 32));
 }