diff options
author | Ulf Hermann <ulf.hermann@qt.io> | 2020-01-07 10:52:29 +0100 |
---|---|---|
committer | Ulf Hermann <ulf.hermann@qt.io> | 2020-01-08 09:28:52 +0100 |
commit | 5e9a7246acb44a04c51bf066fc2e24368ca47204 (patch) | |
tree | 21e1fd8090500cfd426d16c32aac68ff6ebb28ad /src/qml/jsruntime/qv4functionobject.cpp | |
parent | 5c681f0f0f220c80f412d36a1b644c3eb5e080df (diff) |
Check stack limit in FunctionPrototype::method_apply()
We could just crash there, assuming unlimited memory, but as this
particular place seems to be a very attractive target for various
mischief, let's just plug it.
Change-Id: I3b0369ceb34dafd12ce8dc1f189fc5f9ee82c169
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
Diffstat (limited to 'src/qml/jsruntime/qv4functionobject.cpp')
-rw-r--r-- | src/qml/jsruntime/qv4functionobject.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4functionobject.cpp b/src/qml/jsruntime/qv4functionobject.cpp index 6fb7946023..dfef52583e 100644 --- a/src/qml/jsruntime/qv4functionobject.cpp +++ b/src/qml/jsruntime/qv4functionobject.cpp @@ -364,7 +364,13 @@ ReturnedValue FunctionPrototype::method_apply(const QV4::FunctionObject *b, cons if (!arr) return v4->throwTypeError(); - uint len = arr->getLength(); + const qint64 len64 = arr->getLength(); + if (len64 < 0ll || len64 > qint64(std::numeric_limits<int>::max())) + return v4->throwRangeError(QStringLiteral("Invalid array length.")); + if (len64 > qint64(v4->jsStackLimit - v4->jsStackTop)) + return v4->throwRangeError(QStringLiteral("Array too large for apply().")); + + const uint len = uint(len64); Scope scope(v4); Value *arguments = scope.alloc<Scope::Uninitialized>(len); |