QQmlComponent: Fix heap buffer overflow with bogus input

Change-Id: I8a725018a5aeb39df370f856cd77d887faa511e3
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>

2 files changed, 17 insertions, 0 deletions

diff --git a/src/qml/parser/qqmljslexer.cpp b/src/qml/parser/qqmljslexer.cpp
index 66f9eac126..53e67fde03 100644
--- a/src/qml/parser/qqmljslexer.cpp
+++ b/src/qml/parser/qqmljslexer.cpp
@@ -724,6 +724,11 @@ again:
                 return multilineStringLiteral ? T_MULTILINE_STRING_LITERAL : T_STRING_LITERAL;
             } else if (_char == QLatin1Char('\\')) {
                 scanChar();
+                if (_codePtr > _endPtr) {
+                    _errorCode = IllegalEscapeSequence;
+                    _errorMessage = QCoreApplication::translate("QQmlParser", "End of file reached at escape sequence");
+                    return T_ERROR;
+                }
 
                 QChar u;
 
diff --git a/tests/auto/qml/qqmlparser/tst_qqmlparser.cpp b/tests/auto/qml/qqmlparser/tst_qqmlparser.cpp
index 357482b93f..ba2b836a6d 100644
--- a/tests/auto/qml/qqmlparser/tst_qqmlparser.cpp
+++ b/tests/auto/qml/qqmlparser/tst_qqmlparser.cpp
@@ -49,6 +49,7 @@ private slots:
     void qmlParser_data();
     void qmlParser();
 #endif
+    void invalidEscapeSequence();
 
 private:
     QStringList excludedDirs;
@@ -192,6 +193,17 @@ void tst_qqmlparser::qmlParser()
 }
 #endif
 
+void tst_qqmlparser::invalidEscapeSequence()
+{
+    using namespace QQmlJS;
+
+    Engine engine;
+    Lexer lexer(&engine);
+    lexer.setCode(QLatin1String("\"\\"), 1);
+    Parser parser(&engine);
+    parser.parse();
+}
+
 QTEST_MAIN(tst_qqmlparser)
 
 #include "tst_qqmlparser.moc"