https://bugs.kde.org/show_bug.cgi?id=519719
Christoph Cullmann <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Latest Commit| |https://invent.kde.org/fram | |eworks/kcodecs/-/commit/c39 | |17949c21d93fd08e1c5ab2c8427 | |3910074acf Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #3 from Christoph Cullmann <[email protected]> --- Git commit c3917949c21d93fd08e1c5ab2c84273910074acf by Christoph Cullmann, on behalf of Kaixuan Li. Committed on 17/05/2026 at 14:49. Pushed by cullmann into branch 'master'. KCharsets::fromEntity: bound numeric reference to QChar range and reorder bounds check The 1-arg fromEntity(QStringView) overload had two related issues that aborted the process under Q_ASSERT and showed up in fuzz runs: 1. The integer parsed from "&#NNNN" / "&#xNNNN" was passed straight to QChar(int), which Qt 6 enforces with Q_ASSERT_X(c <= 0xffff). Any reference >= U+10000 (e.g. "𐀀", "𐀀") aborted in debug builds and silently truncated to the low 16 bits in release builds. Now we reject anything > 0xFFFF and return QChar::Null, matching HTML5 §13.2.5.72's parse-error behaviour. 2. After "pos++" past an optional leading '&', str[pos] was read before the bounds check. For str == "&", str[1] aborted on a length-1 view. Adds a "pos >= str.length()" guard right after the increment. Both code paths are reachable from KCharsets::resolveEntities and the 2-arg fromEntity(QStringView, int&) overload, which slices the input down through prefix lengths 8..1 and re-enters the 1-arg form. Adds regression cases to KCharsetsTest::testFromEntity. Related: bug 519720 M +16 -0 autotests/kcharsetstest.cpp M +14 -9 src/kcharsets.cpp https://invent.kde.org/frameworks/kcodecs/-/commit/c3917949c21d93fd08e1c5ab2c84273910074acf -- You are receiving this mail because: You are watching all bug changes.
