From 0d50efeae9829336ffb7e47692cfdc649e10ee70 Mon Sep 17 00:00:00 2001 From: Friedemann Kleint Date: Tue, 18 Mar 2014 12:07:53 +0100 Subject: [PATCH] Fix QByteArray memory corruption in QIBaseDriver::open(). Rewrite code to use QByteArray::reserve(), QByteArray::append() instead of memcpy(). Task-number: QTBUG-37508 Change-Id: I16ead153f33fa5a34bc01ee27ae4cd1b8993b65e Reviewed-by: Andy Shaw Reviewed-by: Mark Brand --- src/sql/drivers/ibase/qsql_ibase.cpp | 35 ++++++++++++---------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/src/sql/drivers/ibase/qsql_ibase.cpp b/src/sql/drivers/ibase/qsql_ibase.cpp index fe5a3cd23aa..d50078b5ff1 100644 --- a/src/sql/drivers/ibase/qsql_ibase.cpp +++ b/src/sql/drivers/ibase/qsql_ibase.cpp @@ -1490,27 +1490,22 @@ bool QIBaseDriver::open(const QString & db, pass.truncate(255); QByteArray ba; - ba.resize(usr.length() + pass.length() + enc.length() + role.length() + 6); - int i = -1; - ba[++i] = isc_dpb_version1; - ba[++i] = isc_dpb_user_name; - ba[++i] = usr.length(); - memcpy(ba.data() + ++i, usr.data(), usr.length()); - i += usr.length(); - ba[i] = isc_dpb_password; - ba[++i] = pass.length(); - memcpy(ba.data() + ++i, pass.data(), pass.length()); - i += pass.length(); - ba[i] = isc_dpb_lc_ctype; - ba[++i] = enc.length(); - memcpy(ba.data() + ++i, enc.data(), enc.length()); - i += enc.length(); + ba.reserve(usr.length() + pass.length() + enc.length() + role.length() + 9); + ba.append(char(isc_dpb_version1)); + ba.append(char(isc_dpb_user_name)); + ba.append(char(usr.length())); + ba.append(usr.data(), usr.length()); + ba.append(char(isc_dpb_password)); + ba.append(char(pass.length())); + ba.append(pass.data(), pass.length()); + ba.append(char(isc_dpb_lc_ctype)); + ba.append(char(enc.length())); + ba.append(enc.data(), enc.length()); if (!role.isEmpty()) { - ba[i] = isc_dpb_sql_role_name; - ba[++i] = role.length(); - memcpy(ba.data() + ++i, role.data(), role.length()); - i += role.length(); + ba.append(char(isc_dpb_sql_role_name)); + ba.append(char(role.length())); + ba.append(role.data(), role.length()); } QString portString; @@ -1522,7 +1517,7 @@ bool QIBaseDriver::open(const QString & db, ldb += host + portString + QLatin1Char(':'); ldb += db; isc_attach_database(d->status, 0, const_cast(ldb.toLocal8Bit().constData()), - &d->ibase, i, ba.data()); + &d->ibase, ba.size(), ba.data()); if (d->isError(QT_TRANSLATE_NOOP("QIBaseDriver", "Error opening database"), QSqlError::ConnectionError)) { setOpenError(true);