V4: Avoid integer overflow on typed array length check

Change-Id: I370b4c4bd0d7962878849ca7c5edef6cb36eca25
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>

1 files changed, 5 insertions, 2 deletions

diff --git a/src/qml/jsruntime/qv4typedarray.cpp b/src/qml/jsruntime/qv4typedarray.cpp
index 7d33167762..a5a720abc0 100644
--- a/src/qml/jsruntime/qv4typedarray.cpp
+++ b/src/qml/jsruntime/qv4typedarray.cpp
@@ -1416,7 +1416,8 @@ ReturnedValue IntrinsicTypedArrayPrototype::method_set(const FunctionObject *b,
         if (scope.engine->hasException || l != len)
             return scope.engine->throwTypeError();
 
-        if (offset + l > a->length())
+        const uint aLength = a->length();
+        if (offset > aLength || l > aLength - offset)
             RETURN_RESULT(scope.engine->throwRangeError(QStringLiteral("TypedArray.set: out of range")));
 
         uint idx = 0;
@@ -1446,7 +1447,9 @@ ReturnedValue IntrinsicTypedArrayPrototype::method_set(const FunctionObject *b,
         return scope.engine->throwTypeError();
 
     uint l = srcTypedArray->length();
-    if (offset + l > a->length())
+
+    const uint aLength = a->length();
+    if (offset > aLength || l > aLength - offset)
         RETURN_RESULT(scope.engine->throwRangeError(QStringLiteral("TypedArray.set: out of range")));
 
     char *dest = buffer->d()->data->data() + a->d()->byteOffset + offset*elementSize;