V4: Don't crash when iterating invalid Proxy objects

Fixes: QTBUG-81109
Change-Id: I97f37c68d33f414d7bffa9b66e0aaed93370dc68
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>

3 files changed, 17 insertions, 2 deletions

diff --git a/src/qml/jsruntime/qv4objectiterator.cpp b/src/qml/jsruntime/qv4objectiterator.cpp
index e529b8e86b..65f6fa8b12 100644
--- a/src/qml/jsruntime/qv4objectiterator.cpp
+++ b/src/qml/jsruntime/qv4objectiterator.cpp
@@ -182,7 +182,7 @@ PropertyKey ForInIteratorObject::nextProperty() const
             if (d()->current != d()->object) {
                 o = d()->object;
                 bool shadowed = false;
-                while (o->d() != c->heapObject()) {
+                while (o && o->d() != c->heapObject()) {
                     if (o->getOwnProperty(key) != Attr_Invalid) {
                         shadowed = true;
                         break;
diff --git a/src/qml/jsruntime/qv4proxy.cpp b/src/qml/jsruntime/qv4proxy.cpp
index 9325e2e53b..51f96b9003 100644
--- a/src/qml/jsruntime/qv4proxy.cpp
+++ b/src/qml/jsruntime/qv4proxy.cpp
@@ -515,7 +515,7 @@ ProxyObjectOwnPropertyKeyIterator::ProxyObjectOwnPropertyKeyIterator(ArrayObject
 
 PropertyKey ProxyObjectOwnPropertyKeyIterator::next(const Object *m, Property *pd, PropertyAttributes *attrs)
 {
-    if (index >= len)
+    if (index >= len || m == nullptr)
         return PropertyKey::invalid();
 
     Scope scope(m);
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index d348881e2e..df428d5929 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -256,6 +256,7 @@ private slots:
     void sortSparseArray();
     void compileBrokenRegexp();
     void sortNonStringArray();
+    void iterateInvalidProxy();
 
     void tostringRecursionCheck();
     void arrayIncludesWithLargeArray();
@@ -5079,6 +5080,20 @@ void tst_QJSEngine::sortNonStringArray()
     QCOMPARE(value.toString(), "TypeError: Cannot convert a symbol to a string.");
 }
 
+void tst_QJSEngine::iterateInvalidProxy()
+{
+    QJSEngine engine;
+    const auto value = engine.evaluate(
+        "const v1 = new Proxy(Reflect, Reflect);"
+        "for (const v2 in v1) {}"
+        "const v3 = { getOwnPropertyDescriptor: eval, getPrototypeOf: eval };"
+        "const v4 = new Proxy(v3, v3);"
+        "for (const v5 in v4) {}"
+    );
+    QVERIFY(value.isError());
+    QCOMPARE(value.toString(), "TypeError: Type error");
+}
+
 QTEST_MAIN(tst_QJSEngine)
 
 #include "tst_qjsengine.moc"