[2 patches] QQmlJs::MemoryPool: fix potential UB (pointer overflow) (!50) · Merge requests · Qt Project / qt / qtdeclarative

Andreas Sturmlechner requested to merge asturmlechner/qtdeclarative:asturmlechner/fix-potential-UBs into kde/5.15 Jun 29, 2023

For the QQmlJs::MemoryPool fix, I actually dropped most of the upstream bits as they seemed totally unrelated, see also last comment in codereview: https://codereview.qt-project.org/c/qt/qtdeclarative/+/488065

QQmlJs::MemoryPool: fix potential UB (pointer overflow)

A check like (p1 + s op p2) is dangerous, because p1 + s may overflow,
and that would be UB, so the compiler can assume it doesn't happen and
break the check.

Reformulate the expression by subtracting p1 from both sides. Cast the
ptrdiff_t to size_t to avoid -Wsign-compare. This is safe because _end
is always ≥ _ptr.

As a drive-by, remove extra parentheses.

Pick-to: 6.6 6.5 6.2 5.15
Change-Id: If240d685fe48196ab5ceb7ff39736b73c8997e30
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit 8a39f7655f4cfbc35c1886b49e2f3a9ada263e39)

* asturmlechner 2023-06-29: Resolve conflict with dev branch commit
  1b10ce6a08edbc2ac7e8fd7e97e3fc691f2081df by dropping unrelated bits

QRecyclePool: fix potential UB

Return the pointer returned by placement new, not the pointer used as
input to placement new. There is a subtle difference and this grey
zone of the C++ standard is best avoided (keyword: std::launder()).

Pick-to: 6.6 6.5 6.2 5.15
Change-Id: I27c159cdb29a5837120f3d44aa6c95da040fd1a2
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
(cherry picked from commit 7381110745572478ffa3c68000574bc4ccb2396c)

[2 patches] QQmlJs::MemoryPool: fix potential UB (pointer overflow)

Merge request reports