QV4: Avoid memory corruption in Reflect.apply

This extracts the check from Function.prototype.apply into a shared function, and uses it in Reflect.apply, which has the same issue. Task-number: QTBUG-107619 Change-Id: I899464c86554f9bbb5270a95bbe3fe27531e9a27 Reviewed-by: Ulf Hermann <ulf.hermann@qt.io> (cherry picked from commit 0e963a53c04b0dbe172cfb495b4d62dc8e2f31a3) Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2022-10-12 09:02:40 +0200
committer: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> 2022-12-05 16:06:15 +0000
commit: 94fd52dbb83a4982e4a70e621f431b0bd0945b5d (patch)
tree: a96e820ccd2d169507d48a10dbe0dbe9bf791663
parent: 09cc572c62c8b3c8365978f8b4d69de7dc53bb25 (diff)
5 files changed, 44 insertions, 9 deletions
diff --git a/src/qml/jsruntime/qv4engine.cpp b/src/qml/jsruntime/qv4engine.cpp
index bf5d437d10..da683da952 100644
--- a/src/qml/jsruntime/qv4engine.cpp
+++ b/src/qml/jsruntime/qv4engine.cpp
@@ -1892,6 +1892,25 @@ int ExecutionEngine::maxGCStackSize() const
     return m_maxGCStackSize;
 }
 
+/*!
+    \internal
+    Returns \a length converted to int if its safe to
+    pass to \c Scope::alloc.
+    Otherwise it throws a RangeError, and returns 0.
+ */
+int ExecutionEngine::safeForAllocLength(qint64 len64)
+{
+    if (len64 < 0ll || len64 > qint64(std::numeric_limits<int>::max())) {
+        this->throwRangeError(QStringLiteral("Invalid array length."));
+        return 0;
+    }
+    if (len64 > qint64(this->jsStackLimit - this->jsStackTop)) {
+        this->throwRangeError(QStringLiteral("Array too large for apply()."));
+        return 0;
+    }
+    return len64;
+}
+
 ReturnedValue ExecutionEngine::global()
 {
     return globalObject->asReturnedValue();
diff --git a/src/qml/jsruntime/qv4engine_p.h b/src/qml/jsruntime/qv4engine_p.h
index 0f42b411e8..639f387ca6 100644
--- a/src/qml/jsruntime/qv4engine_p.h
+++ b/src/qml/jsruntime/qv4engine_p.h
@@ -655,6 +655,7 @@ public:
     int maxGCStackSize() const;
 
     bool checkStackLimits();
+    int safeForAllocLength(qint64 len64);
 
     bool canJIT(Function *f = nullptr)
     {
diff --git a/src/qml/jsruntime/qv4functionobject.cpp b/src/qml/jsruntime/qv4functionobject.cpp
index 987355286d..efb4a10f11 100644
--- a/src/qml/jsruntime/qv4functionobject.cpp
+++ b/src/qml/jsruntime/qv4functionobject.cpp
@@ -364,15 +364,10 @@ ReturnedValue FunctionPrototype::method_apply(const QV4::FunctionObject *b, cons
     if (!arr)
         return v4->throwTypeError();
 
-    const qint64 len64 = arr->getLength();
-    if (len64 < 0ll || len64 > qint64(std::numeric_limits<int>::max()))
-        return v4->throwRangeError(QStringLiteral("Invalid array length."));
-    if (len64 > qint64(v4->jsStackLimit - v4->jsStackTop))
-        return v4->throwRangeError(QStringLiteral("Array too large for apply()."));
-
-    const uint len = uint(len64);
-
     Scope scope(v4);
+    const uint len = v4->safeForAllocLength(arr->getLength());
+    CHECK_EXCEPTION();
+
     Value *arguments = scope.alloc<Scope::Uninitialized>(len);
     if (len) {
         if (ArgumentsObject::isNonStrictArgumentsObject(arr) && !arr->cast<ArgumentsObject>()->fullyCreated()) {
diff --git a/src/qml/jsruntime/qv4reflect.cpp b/src/qml/jsruntime/qv4reflect.cpp
index 981f4ba6f3..395c637492 100644
--- a/src/qml/jsruntime/qv4reflect.cpp
+++ b/src/qml/jsruntime/qv4reflect.cpp
@@ -76,7 +76,10 @@ struct CallArgs {
 
 static CallArgs createListFromArrayLike(Scope &scope, const Object *o)
 {
-    int len = o->getLength();
+    int len = scope.engine->safeForAllocLength(o->getLength());
+    if (scope.engine->hasException)
+        return {nullptr, 0};
+
     Value *arguments = scope.alloc(len);
 
     for (int i = 0; i < len; ++i) {
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index c66e2dccf3..363070d7f8 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -260,6 +260,7 @@ private slots:
     void sortNonStringArray();
     void iterateInvalidProxy();
     void applyOnHugeArray();
+    void reflectApplyOnHugeArray();
 
     void tostringRecursionCheck();
     void arrayIncludesWithLargeArray();
@@ -5174,6 +5175,22 @@ void tst_QJSEngine::applyOnHugeArray()
     QCOMPARE(value.toString(), "RangeError: Array too large for apply().");
 }
 
+
+void tst_QJSEngine::reflectApplyOnHugeArray()
+{
+    QQmlEngine engine;
+    const QJSValue value = engine.evaluate(R"(
+(function(){
+const v1 = [];
+const v3 = [];
+v3.length = 3900000000;
+Reflect.apply(v1.reverse,v1,v3);
+})()
+    )");
+    QVERIFY(value.isError());
+    QCOMPARE(value.toString(), QLatin1String("RangeError: Invalid array length."));
+}
+
 void tst_QJSEngine::typedArraySet()
 {
     QJSEngine engine;
author	Fabian Kosmale <fabian.kosmale@qt.io>	2022-10-12 09:02:40 +0200
committer	Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>	2022-12-05 16:06:15 +0000
commit	94fd52dbb83a4982e4a70e621f431b0bd0945b5d (patch)
tree	a96e820ccd2d169507d48a10dbe0dbe9bf791663
parent	09cc572c62c8b3c8365978f8b4d69de7dc53bb25 (diff)