diff options
author | Lars Knoll <lars.knoll@qt.io> | 2018-04-16 12:32:17 +0200 |
---|---|---|
committer | Lars Knoll <lars.knoll@qt.io> | 2018-05-02 14:19:37 +0000 |
commit | f1162921dfba638585f2c10760443df003ae7e4c (patch) | |
tree | f696a4ced54c5ff3f40d24c0e862fa1ecd300314 /src/qml/jsruntime/qv4arrayobject.cpp | |
parent | cf4a68d5bc85877e1166117aa0d4c520509d1c0e (diff) |
Correctly check length limit in Array.push()
getLength() returns a 64 bit value, so check against
UINT_MAX instead of checking for an implicit overflow
Change-Id: I9ac7f582a85bc696faa42dd10170b9b03b33bcf9
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Diffstat (limited to 'src/qml/jsruntime/qv4arrayobject.cpp')
-rw-r--r-- | src/qml/jsruntime/qv4arrayobject.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/qml/jsruntime/qv4arrayobject.cpp b/src/qml/jsruntime/qv4arrayobject.cpp index 37c386d781..9b9a2f1052 100644 --- a/src/qml/jsruntime/qv4arrayobject.cpp +++ b/src/qml/jsruntime/qv4arrayobject.cpp @@ -352,9 +352,9 @@ ReturnedValue ArrayPrototype::method_push(const FunctionObject *b, const Value * instance->arrayCreate(); Q_ASSERT(instance->arrayData()); - uint len = instance->getLength(); + quint64 len = instance->getLength(); - if (len + argc < len) { + if (len + quint64(argc) >= UINT_MAX) { // ughh... this goes beyond UINT_MAX double l = len; ScopedString s(scope); |