From 6279b74b8cd69598e2c3569cadfce84af7676d70 Mon Sep 17 00:00:00 2001 From: Debian Qt/KDE Maintainers Date: Fri, 18 Jul 2025 15:28:20 +0200 Subject: [PATCH] qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at() Origin: upstream, https://download.qt.io/official_releases/qt/6.8/CVE-2025-5455-qtbase-6.8.patch Last-Update: 2025-06-29 It is a precondition violation to call QByteArrayView::at() with size() as argument. The code used that, though, as an implicit end-of-string check, assuming == ' ' and == '=' would both fail for null bytes. Besides, QByteArrays (but most certainly QByteArrayViews) need not be null-terminated, so this could read even past size(). To fix, use higher-level API (startsWith()), consuming parsed tokens along the way. Gbp-Pq: Name upstream_cve-2025-5455_fix_data_assertion_error.diff --- src/corelib/io/qdataurl.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp index 65b934b3..c5ecca8f 100644 --- a/src/corelib/io/qdataurl.cpp +++ b/src/corelib/io/qdataurl.cpp @@ -47,10 +47,10 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray QLatin1StringView textPlain; constexpr auto charset = "charset"_L1; if (QLatin1StringView{data}.startsWith(charset, Qt::CaseInsensitive)) { - qsizetype i = charset.size(); - while (data.at(i) == ' ') - ++i; - if (data.at(i) == '=') + QByteArrayView copy = data.sliced(charset.size()); + while (copy.startsWith(' ')) + copy.slice(1); + if (copy.startsWith('=')) textPlain = "text/plain;"_L1; } -- 2.30.2