When 3535f46374ccf8ad966e4b266c0dbd919646fded dropped the Q_ASSERT(end[-1] == '"') by reviewer request from the original 767beb7fff6f08f5574a193967f8f814970ac289 change, it didn't replace it with some other check, leaving the possibility open that we'd be passing an invalid range (end < begin) to QString::fromUtf8(), with unknown consequences. While technically a security problem, this has very low impact, since the files being parsed should contain "trusted content", being supposed to be owned by root, and not writable by mere mortals. I hasten to add, though, that the code doesn't check permissions of the files it reads. The bug existed with the original Q_ASSERT, too. Namely in release mode. And in debug mode, it would be a DOS. Port to QByteArrayView to get the more expressive API and as a prerequestite for follow-up (non-security) patches. Pick-to: 6.6 6.5 Change-Id: Ib79cdad8680861d1f11b6be9234695273d0a97c2 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>