diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2014-11-29 19:29:26 +0100 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2014-12-01 00:56:26 +0000 |
| commit | 18f01099694ed5c2758105f893ba37589f552717 (patch) | |
| tree | 78464c882944cf12058ed99ac9829ab03c69cde8 /ui/qt/uat_dialog.cpp | |
| parent | 846bb5394812c39359dfdbbf7e8755a7e3cf5326 (diff) | |
| download | wireshark-18f01099694ed5c2758105f893ba37589f552717.tar.gz | |
qt: fix use-after-free pattern
qstring.toUtf8() returns a QByteArray object and .constData() returns
a pointer inside that object. It is not safe to store this pointer as
it will become invalid after the statement. Store a const reference
instead. (Due to scoping differences, some are copy-assigned though.)
In the UAT dialog, strlen(bytes.constData()) has also been replaced by
bytes.size() as an optimization.
Caught by ASAN.
Change-Id: Ie09f999a32d0ef1abaa1e658b9403b74bedffc37
Reviewed-on: https://code.wireshark.org/review/5528
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Diffstat (limited to 'ui/qt/uat_dialog.cpp')
| -rw-r--r-- | ui/qt/uat_dialog.cpp | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/ui/qt/uat_dialog.cpp b/ui/qt/uat_dialog.cpp index df1a364f74..ce45d429f3 100644 --- a/ui/qt/uat_dialog.cpp +++ b/ui/qt/uat_dialog.cpp @@ -266,8 +266,9 @@ void UatDialog::on_uatTreeWidget_itemActivated(QTreeWidgetItem *item, int column case PT_TXTMOD_FILENAME: { QString cur_path = fieldString(row, column); - QString new_path = QFileDialog::getSaveFileName(this, field->title, cur_path, QString(), NULL, fd_opt); - field->cb.set(rec, new_path.toUtf8().constData(), (unsigned) strlen(new_path.toUtf8().constData()), field->cbdata.set, field->fld_data); + const QByteArray& new_path = QFileDialog::getSaveFileName(this, + field->title, cur_path, QString(), NULL, fd_opt).toUtf8(); + field->cb.set(rec, new_path.constData(), (unsigned) new_path.size(), field->cbdata.set, field->fld_data); updateItem(*item); break; } @@ -362,11 +363,11 @@ void UatDialog::enumPrefCurrentIndexChanged(int index) guint row = item->data(0, Qt::UserRole).toUInt(); void *rec = UAT_INDEX_PTR(uat_, row); uat_field_t *field = &uat_->fields[cur_column_]; - const char *enum_txt = cur_combo_box_->itemText(index).toUtf8().constData(); + const QByteArray& enum_txt = cur_combo_box_->itemText(index).toUtf8(); const char *err = NULL; - if (field->cb.chk && field->cb.chk(rec, enum_txt, (unsigned) strlen(enum_txt), field->cbdata.chk, field->fld_data, &err)) { - field->cb.set(rec, enum_txt, (unsigned) strlen(enum_txt), field->cbdata.set, field->fld_data); + if (field->cb.chk && field->cb.chk(rec, enum_txt.constData(), (unsigned) enum_txt.size(), field->cbdata.chk, field->fld_data, &err)) { + field->cb.set(rec, enum_txt.constData(), (unsigned) enum_txt.size(), field->cbdata.set, field->fld_data); ok_button_->setEnabled(true); } else { ok_button_->setEnabled(false); @@ -384,14 +385,14 @@ void UatDialog::stringPrefTextChanged(const QString &text) guint row = item->data(0, Qt::UserRole).toUInt(); void *rec = UAT_INDEX_PTR(uat_, row); uat_field_t *field = &uat_->fields[cur_column_]; - const char *txt = text.toUtf8().constData(); + const QByteArray& txt = text.toUtf8(); const char *err = NULL; bool enable_ok = true; SyntaxLineEdit::SyntaxState ss = SyntaxLineEdit::Empty; if (field->cb.chk) { - if (field->cb.chk(rec, txt, (unsigned) strlen(txt), field->cbdata.chk, field->fld_data, &err)) { - field->cb.set(rec, txt, (unsigned) strlen(txt), field->cbdata.set, field->fld_data); + if (field->cb.chk(rec, txt.constData(), (unsigned) txt.size(), field->cbdata.chk, field->fld_data, &err)) { + field->cb.set(rec, txt.constData(), (unsigned) txt.size(), field->cbdata.set, field->fld_data); saved_string_pref_ = text; ss = SyntaxLineEdit::Valid; } else { |