Fix out of bounds stack access with the byte code interpreter

When generating the byte code, we use code like this to initialize
the specialized instructions:

    Instruction::Binop op; op.foo = 1; ...

to conveniently initialize the fields and then use the addInstruction
template specialization to copy the non-generic bits (for example binop
specific parameters) across into the Instr union. We copy
InstrMeta<InstrType>::Size bits, which includes the alignment padding
applied via MOTH_INSTR_ALIGN_MASK. However the source data type
(Instruction::Binop in the above example) does not include fields and
therefore the memcpy will read more bytes off the stack than were
allocated.

Discovered via ASAN during the investigation of QTBUG-68640. The issue
is specific to Qt 5.9, it does not apply to the code base of 5.11 or
later, where the byte code is strictly integer organized.

Change-Id: Ia12b75f6c1ec6c9d77ee6e7c4253c1e18c46291c
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

1 files changed, 1 insertions, 1 deletions

diff --git a/src/qml/compiler/qv4instr_moth_p.h b/src/qml/compiler/qv4instr_moth_p.h
index 5f46e90ec7..fbd513b537 100644
--- a/src/qml/compiler/qv4instr_moth_p.h
+++ b/src/qml/compiler/qv4instr_moth_p.h
@@ -908,7 +908,7 @@ QT_WARNING_DISABLE_GCC("-Wuninitialized")
         static void setDataNoCommon(Instr &instr, const DataType &v) \
         { memcpy(reinterpret_cast<char *>(&instr.FMT) + sizeof(Instr::instr_common), \
                  reinterpret_cast<const char *>(&v) + sizeof(Instr::instr_common), \
-                 Size - sizeof(Instr::instr_common)); } \
+                 sizeof(DataType) - sizeof(Instr::instr_common)); } \
     };
 FOR_EACH_MOTH_INSTR(MOTH_INSTR_META_TEMPLATE);
 #undef MOTH_INSTR_META_TEMPLATE