Check stack limit in FunctionPrototype::method_apply()

We could just crash there, assuming unlimited memory, but as this particular place seems to be a very attractive target for various mischief, let's just plug it. Change-Id: I3b0369ceb34dafd12ce8dc1f189fc5f9ee82c169 Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
author: Ulf Hermann <ulf.hermann@qt.io> 2020-01-07 10:52:29 +0100
committer: Ulf Hermann <ulf.hermann@qt.io> 2020-01-08 09:28:52 +0100
commit: 5e9a7246acb44a04c51bf066fc2e24368ca47204 (patch)
tree: 21e1fd8090500cfd426d16c32aac68ff6ebb28ad /src/qml/jsruntime/qv4functionobject.cpp
parent: 5c681f0f0f220c80f412d36a1b644c3eb5e080df (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4functionobject.cpp b/src/qml/jsruntime/qv4functionobject.cpp
index 6fb7946023..dfef52583e 100644
--- a/src/qml/jsruntime/qv4functionobject.cpp
+++ b/src/qml/jsruntime/qv4functionobject.cpp
@@ -364,7 +364,13 @@ ReturnedValue FunctionPrototype::method_apply(const QV4::FunctionObject *b, cons
     if (!arr)
         return v4->throwTypeError();
 
-    uint len = arr->getLength();
+    const qint64 len64 = arr->getLength();
+    if (len64 < 0ll || len64 > qint64(std::numeric_limits<int>::max()))
+        return v4->throwRangeError(QStringLiteral("Invalid array length."));
+    if (len64 > qint64(v4->jsStackLimit - v4->jsStackTop))
+        return v4->throwRangeError(QStringLiteral("Array too large for apply()."));
+
+    const uint len = uint(len64);
 
     Scope scope(v4);
     Value *arguments = scope.alloc<Scope::Uninitialized>(len);
author	Ulf Hermann <ulf.hermann@qt.io>	2020-01-07 10:52:29 +0100
committer	Ulf Hermann <ulf.hermann@qt.io>	2020-01-08 09:28:52 +0100
commit	5e9a7246acb44a04c51bf066fc2e24368ca47204 (patch)
tree	21e1fd8090500cfd426d16c32aac68ff6ebb28ad /src/qml/jsruntime/qv4functionobject.cpp
parent	5c681f0f0f220c80f412d36a1b644c3eb5e080df (diff)