Re: [Interest] QStringBuilder buffer overflow with string litteral?
Am January 25, 2021 2:47:28 PM UTC schrieb "Olivier B." : >Oh, you are right, thanks. I thought the + operator was on a QString >and >adding a char would be faster than adding a 1-char string, but it just >changed the char* pointer address instead. > >Le lun. 25 janv. 2021 à 15:32, Giuseppe D'Angelo via Interest < >interest@qt-project.org> a écrit : > >> Hi, >> >> Il 25/01/21 13:56, Olivier B. ha scritto: >> > fields += (fields.isEmpty() ? "" : ", ") + '"' + field + >'"'; >> >> QStringBuilder usage is a red herring, pay close attention at what >> you're doing in the first +: you're summing a const char * (result of >> the ternary operator) with a char; that does not do string >concatenation... >> >> > Passing one/both of the operands of the ternary operator as >QStrings >> makes the problem disappear. >> >> That however kills the advantage of QStringBuilder. Use QStringView / >> QLatin1String instead. >> >> Tip: always define QT_NO_CAST_FROM_ASCII (or the more lenient >> QT_RESTRICTED_CAST_FROM_ASCII) in any Qt project. >> >> HTH, >> -- >> Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Senior Software >Engineer >> KDAB (France) S.A.S., a KDAB Group company >> Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com >> KDAB - The Qt, C++ and OpenGL Experts >> >> ___ >> Interest mailing list >> Interest@qt-project.org >> https://lists.qt-project.org/listinfo/interest >> we're coming closer to Bobby Tables;' now xD -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] QStringBuilder buffer overflow with string litteral?
Oh, you are right, thanks. I thought the + operator was on a QString and adding a char would be faster than adding a 1-char string, but it just changed the char* pointer address instead. Le lun. 25 janv. 2021 à 15:32, Giuseppe D'Angelo via Interest < interest@qt-project.org> a écrit : > Hi, > > Il 25/01/21 13:56, Olivier B. ha scritto: > > fields += (fields.isEmpty() ? "" : ", ") + '"' + field + '"'; > > QStringBuilder usage is a red herring, pay close attention at what > you're doing in the first +: you're summing a const char * (result of > the ternary operator) with a char; that does not do string concatenation... > > > Passing one/both of the operands of the ternary operator as QStrings > makes the problem disappear. > > That however kills the advantage of QStringBuilder. Use QStringView / > QLatin1String instead. > > Tip: always define QT_NO_CAST_FROM_ASCII (or the more lenient > QT_RESTRICTED_CAST_FROM_ASCII) in any Qt project. > > HTH, > -- > Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Senior Software Engineer > KDAB (France) S.A.S., a KDAB Group company > Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com > KDAB - The Qt, C++ and OpenGL Experts > > ___ > Interest mailing list > Interest@qt-project.org > https://lists.qt-project.org/listinfo/interest > ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] QStringBuilder buffer overflow with string litteral?
+1 ... this has indeed bitten me more times than I like to admit! Bob Hairgrove -- On 25.01.21 15:27, Giuseppe D'Angelo via Interest wrote: Hi, Il 25/01/21 13:56, Olivier B. ha scritto: fields += (fields.isEmpty() ? "" : ", ") + '"' + field + '"'; QStringBuilder usage is a red herring, pay close attention at what you're doing in the first +: you're summing a const char * (result of the ternary operator) with a char; that does not do string concatenation... ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] QStringBuilder buffer overflow with string litteral?
Hi, Il 25/01/21 13:56, Olivier B. ha scritto: fields += (fields.isEmpty() ? "" : ", ") + '"' + field + '"'; QStringBuilder usage is a red herring, pay close attention at what you're doing in the first +: you're summing a const char * (result of the ternary operator) with a char; that does not do string concatenation... Passing one/both of the operands of the ternary operator as QStrings makes the problem disappear. That however kills the advantage of QStringBuilder. Use QStringView / QLatin1String instead. Tip: always define QT_NO_CAST_FROM_ASCII (or the more lenient QT_RESTRICTED_CAST_FROM_ASCII) in any Qt project. HTH, -- Giuseppe D'Angelo | giuseppe.dang...@kdab.com | Senior Software Engineer KDAB (France) S.A.S., a KDAB Group company Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com KDAB - The Qt, C++ and OpenGL Experts smime.p7s Description: Firma crittografica S/MIME ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] QStringBuilder buffer overflow with string litteral?
Am January 25, 2021 12:56:45 PM UTC schrieb "Olivier B." : >Compiling with QT 5.11.1 & QT_USE_QSTRINGBUILDER, i get an error with >the >following code block: > > QString generateQuery(const QString& tableName, const QStringList& >columns, int count) > { >QString fields = "*"; >if (!columns.isEmpty()) >{ > fields.clear(); > for (const QString& field : columns) > { >fields += (fields.isEmpty() ? "" : ", ") + '"' + field + '"'; > } >} >... > >I just want to build a comma separated list of the items in 'columns', >surrounded by quotes. >But instead of giving "A", "B", "C", this gives UNIQUE (%1)"A"UNIQUE >(%1)"B"UNIQUE (%1)"C" > >That UNIQUE (%1) is only found in another cpp file of the same DLL >project, >in strings ", UNIQUE (%1)" passed to QString constructors. So not only >is >it using the wrong string litteral, it does not read it from the string >start. > >Passing one/both of the operands of the ternary operator as QStrings >makes >the problem disappear. > >Are there things i should be aware of when using QStringBuilder, such >as >'do not put expressions on operators, because of macros that will >evaluate >them multiple times', or something like that? >String pooling (/GF of visual studio) is not used, if that matters https://xkcd.com/327/ Greetings;) Alex -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
Re: [Interest] QStringBuilder buffer overflow with string litteral?
Just an idea, not having to do with QStringBuilder ... why not do something like this? QString fields = columns.join(", "); if (fields.isEmpty()) fields = "*"; // ... AFAIK it is only necessary to enclose field names in quotes if the name is an SQL keyword. If you still need to quote them, I would do it this way: QString fields = columns.join("\",\""); if (fields.isEmpty()) fields = "*"; else { fields.prepend("\"").append("\""); } // ... HTH, Bob Hairgrove -- On 25.01.21 13:56, Olivier B. wrote: Compiling with QT 5.11.1 & |QT_USE_QSTRINGBUILDER||, i get an error with the following code block:| QString generateQuery(const QString& tableName, const QStringList& columns, int count) { QString fields = "*"; if (!columns.isEmpty()) { fields.clear(); for (const QString& field : columns) { fields += (fields.isEmpty() ? "" : ", ") + '"' + field + '"'; } } ... I just want to build a comma separated list of the items in 'columns', surrounded by quotes. But instead of giving "A", "B", "C", this gives UNIQUE (%1)"A"UNIQUE (%1)"B"UNIQUE (%1)"C" That UNIQUE (%1) is only found in another cpp file of the same DLL project, in strings ", UNIQUE (%1)" passed to QString constructors. So not only is it using the wrong string litteral, it does not read it from the string start. Passing one/both of the operands of the ternary operator as QStrings makes the problem disappear. Are there things i should be aware of when using QStringBuilder, such as 'do not put expressions on operators, because of macros that will evaluate them multiple times', or something like that? String pooling (/GF of visual studio) is not used, if that matters ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
[Interest] QStringBuilder buffer overflow with string litteral?
Compiling with QT 5.11.1 & QT_USE_QSTRINGBUILDER, i get an error with the following code block: QString generateQuery(const QString& tableName, const QStringList& columns, int count) { QString fields = "*"; if (!columns.isEmpty()) { fields.clear(); for (const QString& field : columns) { fields += (fields.isEmpty() ? "" : ", ") + '"' + field + '"'; } } ... I just want to build a comma separated list of the items in 'columns', surrounded by quotes. But instead of giving "A", "B", "C", this gives UNIQUE (%1)"A"UNIQUE (%1)"B"UNIQUE (%1)"C" That UNIQUE (%1) is only found in another cpp file of the same DLL project, in strings ", UNIQUE (%1)" passed to QString constructors. So not only is it using the wrong string litteral, it does not read it from the string start. Passing one/both of the operands of the ternary operator as QStrings makes the problem disappear. Are there things i should be aware of when using QStringBuilder, such as 'do not put expressions on operators, because of macros that will evaluate them multiple times', or something like that? String pooling (/GF of visual studio) is not used, if that matters ___ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest