diff options
author | Ulf Hermann <ulf.hermann@qt.io> | 2019-11-01 16:04:18 +0100 |
---|---|---|
committer | Ulf Hermann <ulf.hermann@qt.io> | 2019-11-07 13:33:26 +0100 |
commit | 06fa6ef1b9e159bd9b83b59ce23b7e09b918aa1f (patch) | |
tree | da85cb4e4becf4b51de9fd6bfd7b93debc11ece8 /src/qml/jsruntime/qv4runtime.cpp | |
parent | f05c9c292b5ee19e5e44709e44a9509d3300632f (diff) |
RuntimeHelpers: Short-circuit stringToNumber on huge strings
We don't need to iterate such a monster, or even convert it to latin1.
It won't be a valid number anyway.
Fixes: QTBUG-78955
Change-Id: Iaa35d924511885f804abe2d5c74235adcad55b27
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Diffstat (limited to 'src/qml/jsruntime/qv4runtime.cpp')
-rw-r--r-- | src/qml/jsruntime/qv4runtime.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/qml/jsruntime/qv4runtime.cpp b/src/qml/jsruntime/qv4runtime.cpp index aaa198c62a..01b5ff6611 100644 --- a/src/qml/jsruntime/qv4runtime.cpp +++ b/src/qml/jsruntime/qv4runtime.cpp @@ -408,6 +408,15 @@ QV4::ReturnedValue Runtime::In::call(ExecutionEngine *engine, const Value &left, double RuntimeHelpers::stringToNumber(const QString &string) { + // The actual maximum valid length is certainly shorter, but due to the sheer number of + // different number formatting variants, we rather err on the side of caution here. + // For example, you can have up to 772 valid decimal digits left of the dot, as stated in the + // libdoubleconversion sources. The same maximum value would be represented by roughly 3.5 times + // as many binary digits. + const int excessiveLength = 16 * 1024; + if (string.length() > excessiveLength) + return qQNaN(); + const QStringRef s = QStringRef(&string).trimmed(); if (s.startsWith(QLatin1Char('0'))) { int base = -1; |