diff options
| author | Lars Knoll <lars.knoll@qt.io> | 2018-04-16 13:35:13 +0200 |
|---|---|---|
| committer | Lars Knoll <lars.knoll@qt.io> | 2018-05-02 14:19:41 +0000 |
| commit | 613dede03b1fa742027072c5656ef6ccefc651ad (patch) | |
| tree | b9781c912b3a89ff39ad9a533513706002939a42 | |
| parent | f1162921dfba638585f2c10760443df003ae7e4c (diff) | |
Fixes when using getLength()
Do some more bounds checking to avoid crashes.
Change-Id: I44e838c3577a9176628aa5e382d712eac9800203
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
| -rw-r--r-- | src/qml/jsruntime/qv4arrayobject.cpp | 9 | ||||
| -rw-r--r-- | src/qml/jsruntime/qv4object_p.h | 2 | ||||
| -rw-r--r-- | src/qml/jsruntime/qv4value_p.h | 2 |
3 files changed, 8 insertions, 5 deletions
diff --git a/src/qml/jsruntime/qv4arrayobject.cpp b/src/qml/jsruntime/qv4arrayobject.cpp index 9b9a2f1052..2bc5ec1de1 100644 --- a/src/qml/jsruntime/qv4arrayobject.cpp +++ b/src/qml/jsruntime/qv4arrayobject.cpp @@ -352,7 +352,7 @@ ReturnedValue ArrayPrototype::method_push(const FunctionObject *b, const Value * instance->arrayCreate(); Q_ASSERT(instance->arrayData()); - quint64 len = instance->getLength(); + qint64 len = instance->getLength(); if (len + quint64(argc) >= UINT_MAX) { // ughh... this goes beyond UINT_MAX @@ -393,7 +393,7 @@ ReturnedValue ArrayPrototype::method_push(const FunctionObject *b, const Value * return scope.engine->throwTypeError(); } - return Encode(len); + return Encode(uint(len)); } ReturnedValue ArrayPrototype::method_reverse(const FunctionObject *b, const Value *thisObject, const Value *, int) @@ -403,7 +403,10 @@ ReturnedValue ArrayPrototype::method_reverse(const FunctionObject *b, const Valu if (!instance) RETURN_UNDEFINED(); - uint length = instance->getLength(); + qint64 length = instance->getLength(); + // ### FIXME + if (length >= UINT_MAX) + return scope.engine->throwRangeError(QLatin1String("Array.prototype.reverse: Length out of range.")); int lo = 0, hi = length - 1; diff --git a/src/qml/jsruntime/qv4object_p.h b/src/qml/jsruntime/qv4object_p.h index 2f8a73de68..15d42e8098 100644 --- a/src/qml/jsruntime/qv4object_p.h +++ b/src/qml/jsruntime/qv4object_p.h @@ -408,7 +408,7 @@ public: { return vtable()->deleteIndexedProperty(this, index); } void advanceIterator(ObjectIterator *it, Value *name, uint *index, Property *p, PropertyAttributes *attributes) { vtable()->advanceIterator(this, it, name, index, p, attributes); } - quint64 getLength() const { return vtable()->getLength(this); } + qint64 getLength() const { return vtable()->getLength(this); } ReturnedValue instanceOf(const Value &var) const { return vtable()->instanceOf(this, var); } diff --git a/src/qml/jsruntime/qv4value_p.h b/src/qml/jsruntime/qv4value_p.h index b89011a9a0..97c6ea23ff 100644 --- a/src/qml/jsruntime/qv4value_p.h +++ b/src/qml/jsruntime/qv4value_p.h @@ -824,7 +824,7 @@ inline unsigned int Value::toUInt32() const inline qint64 Value::toLength() const { if (Q_LIKELY(integerCompatible())) - return int_32(); + return int_32() < 0 ? 0 : int_32(); double i = Primitive::toInteger(isDouble() ? doubleValue() : toNumberImpl()); if (i <= 0) return 0; |