QtQml: Improve handling of CU's sourceFileIndex

In the unlikely case that we get a corrupted CU from a cache file and it
still passes the header verification we don't want it to access invalid
memory when checking the file name.

We also generally want to use uint as index into the string table. A
signed integer makes no sense here.

Pick-to: 6.5
Coverity-Id: 310389
Change-Id: I12e9b8f39e1d3c68fd701c1ef4f54845ab8c3c12
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>

1 files changed, 9 insertions, 6 deletions

diff --git a/src/qml/common/qv4compileddata_p.h b/src/qml/common/qv4compileddata_p.h
index 9012c85ce7..fbd1b564c0 100644
--- a/src/qml/common/qv4compileddata_p.h
+++ b/src/qml/common/qv4compileddata_p.h
@@ -1240,8 +1240,8 @@ struct Unit
     }
     /* end QML specific fields*/
 
-    QString stringAtInternal(int idx) const {
-        Q_ASSERT(idx < int(stringTableSize));
+    QString stringAtInternal(uint idx) const {
+        Q_ASSERT(idx < stringTableSize);
         const quint32_le *offsetTable = reinterpret_cast<const quint32_le*>((reinterpret_cast<const char *>(this)) + offsetToStringTable);
         const quint32_le offset = offsetTable[idx];
         const String *str = reinterpret_cast<const String*>(reinterpret_cast<const char *>(this) + offset);
@@ -1532,11 +1532,14 @@ public:
         m_finalUrlString = !finalUrlString.isEmpty() ? finalUrlString : stringAt(data->finalUrlIndex);
     }
 
-    QString stringAt(int index) const
+    QString stringAt(uint index) const
     {
-        if (uint(index) >= data->stringTableSize)
-            return dynamicStrings.at(index - data->stringTableSize);
-        return data->stringAtInternal(index);
+        if (index < data->stringTableSize)
+            return data->stringAtInternal(index);
+
+        const uint dynamicIndex = index - data->stringTableSize;
+        Q_ASSERT(dynamicIndex < dynamicStrings.size());
+        return dynamicStrings.at(dynamicIndex);
     }
 
     QString fileName() const { return m_fileName; }