From 3a2e73cc94fc5694beb3ef28a0f4557c4e93e0e3 Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Mon, 31 Oct 2022 12:34:20 +0800
Subject: [PATCH] Avoid out-of-bounds access

This happens when the `index` is a negative number.
Added `Q_ASSERT()` to catch coding errors at debug run time.

PR #17953.
---
 src/base/bittorrent/torrentimpl.cpp | 25 ++++++++++++++++++++-----
 src/base/bittorrent/torrentinfo.cpp | 15 +++++++++++++++
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/src/base/bittorrent/torrentimpl.cpp b/src/base/bittorrent/torrentimpl.cpp
index 7c49d6a5b..6742a22ff 100644
--- a/src/base/bittorrent/torrentimpl.cpp
+++ b/src/base/bittorrent/torrentimpl.cpp
@@ -805,13 +805,22 @@ int TorrentImpl::seedingTimeLimit() const
 
 Path TorrentImpl::filePath(const int index) const
 {
-    return m_filePaths.at(index);
+    Q_ASSERT(index >= 0);
+    Q_ASSERT(index < m_filePaths.size());
+
+    return m_filePaths.value(index, {});
 }
 
 Path TorrentImpl::actualFilePath(const int index) const
 {
-    const auto nativeIndex = m_torrentInfo.nativeIndexes().at(index);
-    return Path(nativeTorrentInfo()->files().file_path(nativeIndex));
+    const QVector<lt::file_index_t> nativeIndexes = m_torrentInfo.nativeIndexes();
+
+    Q_ASSERT(index >= 0);
+    Q_ASSERT(index < nativeIndexes.size());
+    if ((index < 0) || (index >= nativeIndexes.size()))
+        return {};
+
+    return Path(nativeTorrentInfo()->files().file_path(nativeIndexes[index]));
 }
 
 qlonglong TorrentImpl::fileSize(const int index) const
@@ -1721,9 +1730,15 @@ void TorrentImpl::moveStorage(const Path &newPath, const MoveStorageMode mode)
 
 void TorrentImpl::renameFile(const int index, const Path &path)
 {
+    const QVector<lt::file_index_t> nativeIndexes = m_torrentInfo.nativeIndexes();
+
+    Q_ASSERT(index >= 0);
+    Q_ASSERT(index < nativeIndexes.size());
+    if ((index < 0) || (index >= nativeIndexes.size()))
+        return;
+
     ++m_renameCount;
-    m_nativeHandle.rename_file(m_torrentInfo.nativeIndexes().at(index)
-                               , path.toString().toStdString());
+    m_nativeHandle.rename_file(nativeIndexes[index], path.toString().toStdString());
 }
 
 void TorrentImpl::handleStateUpdate(const lt::torrent_status &nativeStatus)
diff --git a/src/base/bittorrent/torrentinfo.cpp b/src/base/bittorrent/torrentinfo.cpp
index 2a32ad653..e2b7533df 100644
--- a/src/base/bittorrent/torrentinfo.cpp
+++ b/src/base/bittorrent/torrentinfo.cpp
@@ -241,6 +241,11 @@ Path TorrentInfo::filePath(const int index) const
 {
     if (!isValid()) return {};
 
+    Q_ASSERT(index >= 0);
+    Q_ASSERT(index < m_nativeIndexes.size());
+    if ((index < 0) || (index >= m_nativeIndexes.size()))
+        return {};
+
     return Path(m_nativeInfo->orig_files().file_path(m_nativeIndexes[index]));
 }
 
@@ -258,6 +263,11 @@ qlonglong TorrentInfo::fileSize(const int index) const
 {
     if (!isValid()) return -1;
 
+    Q_ASSERT(index >= 0);
+    Q_ASSERT(index < m_nativeIndexes.size());
+    if ((index < 0) || (index >= m_nativeIndexes.size()))
+        return -1;
+
     return m_nativeInfo->orig_files().file_size(m_nativeIndexes[index]);
 }
 
@@ -265,6 +275,11 @@ qlonglong TorrentInfo::fileOffset(const int index) const
 {
     if (!isValid()) return -1;
 
+    Q_ASSERT(index >= 0);
+    Q_ASSERT(index < m_nativeIndexes.size());
+    if ((index < 0) || (index >= m_nativeIndexes.size()))
+        return -1;
+
     return m_nativeInfo->orig_files().file_offset(m_nativeIndexes[index]);
 }