Fix potential memory corruption.

The code exploited information that most of types in union use d
pointers and that size of d pointer is less or equals then
sizeof(QVariant) or sizeof(double). Still the code may suffer
from an alignment issue on some exotic platforms.

Change-Id: I4ef331f4cdb7177337ddcc8696f78d85e9594d27
Reviewed-on: http://codereview.qt-project.org/4244
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Aaron Kennedy <aaron.kennedy@nokia.com>
Reviewed-by: Kent Hansen <kent.hansen@nokia.com>

1 files changed, 17 insertions, 1 deletions

diff --git a/src/declarative/qml/v8/qv8qobjectwrapper.cpp b/src/declarative/qml/v8/qv8qobjectwrapper.cpp
index 348b6c061d..5b5c8be435 100644
--- a/src/declarative/qml/v8/qv8qobjectwrapper.cpp
+++ b/src/declarative/qml/v8/qv8qobjectwrapper.cpp
@@ -120,6 +120,17 @@ public:
 };
 
 namespace {
+
+template<typename A, typename B, typename C, typename D, typename E>
+class MaxSizeOf5 {
+    template<typename Z, typename X>
+    struct SMax {
+        static const size_t Size = sizeof(Z) > sizeof(X) ? sizeof(Z) : sizeof(X);
+    };
+public:
+    static const size_t Size = SMax<A, SMax<B, SMax<C, SMax<D, E> > > >::Size;
+};
+
 struct MetaCallArgument {
     inline MetaCallArgument();
     inline ~MetaCallArgument();
@@ -141,7 +152,12 @@ private:
         bool boolValue;
         QObject *qobjectPtr;
 
-        char allocData[sizeof(QVariant)];
+        char allocData[MaxSizeOf5<QVariant,
+                                QString,
+                                QList<QObject *>,
+                                QJSValue,
+                                QDeclarativeV8Handle>::Size];
+        qint64 q_for_alignment;
     };
 
     // Pointers to allocData