diff options
author | Jędrzej Nowacki <jedrzej.nowacki@nokia.com> | 2011-09-05 15:36:19 +0200 |
---|---|---|
committer | Qt by Nokia <qt-info@nokia.com> | 2011-09-15 10:22:43 +0200 |
commit | ed438f667cb33d77d66a1a8dc4edd691f435a61c (patch) | |
tree | f6d209056df63eee5272f6b5d58973ea6b0e7418 /src/declarative/qml/v8/qv8qobjectwrapper.cpp | |
parent | 6cd22a4ca88df08e38f43f0c6d106f0483c4720a (diff) |
Fix potential memory corruption.
The code exploited information that most of types in union use d
pointers and that size of d pointer is less or equals then
sizeof(QVariant) or sizeof(double). Still the code may suffer
from an alignment issue on some exotic platforms.
Change-Id: I4ef331f4cdb7177337ddcc8696f78d85e9594d27
Reviewed-on: http://codereview.qt-project.org/4244
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Aaron Kennedy <aaron.kennedy@nokia.com>
Reviewed-by: Kent Hansen <kent.hansen@nokia.com>
Diffstat (limited to 'src/declarative/qml/v8/qv8qobjectwrapper.cpp')
-rw-r--r-- | src/declarative/qml/v8/qv8qobjectwrapper.cpp | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/src/declarative/qml/v8/qv8qobjectwrapper.cpp b/src/declarative/qml/v8/qv8qobjectwrapper.cpp index 348b6c061d..5b5c8be435 100644 --- a/src/declarative/qml/v8/qv8qobjectwrapper.cpp +++ b/src/declarative/qml/v8/qv8qobjectwrapper.cpp @@ -120,6 +120,17 @@ public: }; namespace { + +template<typename A, typename B, typename C, typename D, typename E> +class MaxSizeOf5 { + template<typename Z, typename X> + struct SMax { + static const size_t Size = sizeof(Z) > sizeof(X) ? sizeof(Z) : sizeof(X); + }; +public: + static const size_t Size = SMax<A, SMax<B, SMax<C, SMax<D, E> > > >::Size; +}; + struct MetaCallArgument { inline MetaCallArgument(); inline ~MetaCallArgument(); @@ -141,7 +152,12 @@ private: bool boolValue; QObject *qobjectPtr; - char allocData[sizeof(QVariant)]; + char allocData[MaxSizeOf5<QVariant, + QString, + QList<QObject *>, + QJSValue, + QDeclarativeV8Handle>::Size]; + qint64 q_for_alignment; }; // Pointers to allocData |