diff options
author | Fabian Kosmale <fabian.kosmale@qt.io> | 2020-01-06 16:10:47 +0100 |
---|---|---|
committer | Fabian Kosmale <fabian.kosmale@qt.io> | 2020-01-07 14:11:41 +0100 |
commit | b7ce1395998464b2f27e4973992b5f7447b34a49 (patch) | |
tree | 23d7e039e86e2f3d4084118522177025f0c412a0 | |
parent | e72b032cc1c5a8a07a99fc6522a692c36f369abc (diff) |
QV4: Check recursion limit in toString
Change-Id: I18b7a4e00150f6c47c991a5164901159b7f946b9
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
-rw-r--r-- | src/qml/jsruntime/qv4objectproto.cpp | 1 | ||||
-rw-r--r-- | tests/auto/qml/qjsengine/tst_qjsengine.cpp | 22 |
2 files changed, 23 insertions, 0 deletions
diff --git a/src/qml/jsruntime/qv4objectproto.cpp b/src/qml/jsruntime/qv4objectproto.cpp index 3d3b3f413f..7d910a1cbc 100644 --- a/src/qml/jsruntime/qv4objectproto.cpp +++ b/src/qml/jsruntime/qv4objectproto.cpp @@ -658,6 +658,7 @@ ReturnedValue ObjectPrototype::method_toString(const FunctionObject *b, const Va ReturnedValue ObjectPrototype::method_toLocaleString(const FunctionObject *b, const Value *thisObject, const Value *argv, int argc) { Scope scope(b); + CHECK_STACK_LIMITS(scope.engine) ScopedObject o(scope, thisObject->toObject(scope.engine)); if (!o) RETURN_UNDEFINED(); diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp index 43c931ecf7..e59114a327 100644 --- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp +++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp @@ -256,6 +256,8 @@ private slots: void sortSparseArray(); void compileBrokenRegexp(); + void tostringRecursionCheck(); + public: Q_INVOKABLE QJSValue throwingCppMethod1(); Q_INVOKABLE void throwingCppMethod2(); @@ -5020,6 +5022,26 @@ void tst_QJSEngine::compileBrokenRegexp() QCOMPARE(value.toString(), "SyntaxError: Invalid flags supplied to RegExp constructor"); } +void tst_QJSEngine::tostringRecursionCheck() +{ + QJSEngine engine; + auto value = engine.evaluate(R"js( + var a = {}; + var b = new Array(1337); + function main() { + var ret = a.toLocaleString; + b[1] = ret; + Array = {}; + Object.toString = b[1]; + var ret = String.prototype.lastIndexOf.call({}, b[1]); + var ret = String.prototype.charAt.call(Function, Object); + } + main(); + )js"); + QVERIFY(value.isError()); + QCOMPARE(value.toString(), QLatin1String("RangeError: Maximum call stack size exceeded.")); +} + QTEST_MAIN(tst_QJSEngine) #include "tst_qjsengine.moc" |