diff options
| author | Lars Knoll <lars.knoll@digia.com> | 2013-11-11 15:08:41 +0100 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-11-12 18:20:30 +0100 |
| commit | 7c6d2d78fe0997dfebba5569f097bdacbba5a861 (patch) | |
| tree | c3b9d08d2249cd21f7a9bf7df9fe2d5fc850b3fb | |
| parent | 12086835ddce3554af1dc472377543bd1471faa9 (diff) | |
Fix out of bounds array index in the generated JIT code
When converting a double to int, make sure we check for >= 0
before using it, otherwise we get out of bounds accesses.
Task-number: QTBUG-34635
Change-Id: If72e116c08fe1dff03cd88ce510cf8b96d249b92
Reviewed-by: Erik Verbruggen <erik.verbruggen@digia.com>
| -rw-r--r-- | src/qml/compiler/qv4isel_masm.cpp | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/qml/compiler/qv4isel_masm.cpp b/src/qml/compiler/qv4isel_masm.cpp index ea2a086c6a..95032eb13c 100644 --- a/src/qml/compiler/qv4isel_masm.cpp +++ b/src/qml/compiler/qv4isel_masm.cpp @@ -1039,13 +1039,13 @@ void InstructionSelection::getElement(V4IR::Expr *base, V4IR::Expr *index, V4IR: _as->and32(Assembler::TrustedImm32(QV4::Managed::SimpleArray), Assembler::ReturnValueRegister); Assembler::Jump notSimple = _as->branch32(Assembler::Equal, Assembler::ReturnValueRegister, Assembler::TrustedImm32(0)); - Assembler::Jump fallback; + Assembler::Jump fallback, fallback2; if (tindex->kind == V4IR::Temp::PhysicalRegister) { if (tindex->type == V4IR::SInt32Type) { _as->move((Assembler::RegisterID) tindex->index, Assembler::ScratchRegister); } else { // double, convert and check if it's a int - _as->truncateDoubleToUint32((Assembler::FPRegisterID) tindex->index, Assembler::ScratchRegister); + fallback2 = _as->branchTruncateDoubleToUint32((Assembler::FPRegisterID) tindex->index, Assembler::ScratchRegister); _as->convertInt32ToDouble(Assembler::ScratchRegister, Assembler::FPGpr0); fallback = _as->branchDouble(Assembler::DoubleNotEqual, Assembler::FPGpr0, (Assembler::FPRegisterID) tindex->index); } @@ -1062,7 +1062,7 @@ void InstructionSelection::getElement(V4IR::Expr *base, V4IR::Expr *index, V4IR: _as->move(Assembler::TrustedImm64(QV4::Value::NaNEncodeMask), Assembler::ReturnValueRegister); _as->xor64(Assembler::ScratchRegister, Assembler::ReturnValueRegister); _as->move64ToDouble(Assembler::ReturnValueRegister, Assembler::FPGpr0); - _as->truncateDoubleToUint32(Assembler::FPGpr0, Assembler::ScratchRegister); + fallback2 = _as->branchTruncateDoubleToUint32(Assembler::FPGpr0, Assembler::ScratchRegister); _as->convertInt32ToDouble(Assembler::ScratchRegister, Assembler::FPGpr1); fallback = _as->branchDouble(Assembler::DoubleNotEqualOrUnordered, Assembler::FPGpr0, Assembler::FPGpr1); @@ -1095,6 +1095,8 @@ void InstructionSelection::getElement(V4IR::Expr *base, V4IR::Expr *index, V4IR: outOfRange.link(_as); if (fallback.isSet()) fallback.link(_as); + if (fallback2.isSet()) + fallback2.link(_as); notSimple.link(_as); notManaged.link(_as); |