diff options
| author | Fabian Kosmale <fabian.kosmale@qt.io> | 2020-04-21 11:28:41 +0200 |
|---|---|---|
| committer | Fabian Kosmale <fabian.kosmale@qt.io> | 2020-04-21 11:36:39 +0200 |
| commit | 152bca765bab4ce55d4a649896c92c3d4a4f1b30 (patch) | |
| tree | 74b57660ef2dbed6cb1984aae93093582df19a86 /src/qml/jsruntime | |
| parent | 94b46de4050d023ecbb238c2636d7e252f8f5949 (diff) | |
V4: Avoid integer overflow in DataViewCtor
Fixes: QTBUG-83667
Change-Id: Ia54510bd7c20fb232b117c1ea0fa5facfcd1a9a5
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Diffstat (limited to 'src/qml/jsruntime')
| -rw-r--r-- | src/qml/jsruntime/qv4dataview.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4dataview.cpp b/src/qml/jsruntime/qv4dataview.cpp index 5ab8cf2dcb..da1b91e69a 100644 --- a/src/qml/jsruntime/qv4dataview.cpp +++ b/src/qml/jsruntime/qv4dataview.cpp @@ -92,7 +92,7 @@ ReturnedValue DataViewCtor::virtualCallAsConstructor(const FunctionObject *f, co uint byteLength = (argc < 3 || argv[2].isUndefined()) ? (bufferLength - offset) : ::toIndex(scope.engine, argv[2]); if (scope.hasException()) return Encode::undefined(); - if (offset + byteLength > bufferLength) + if (offset > bufferLength || byteLength > bufferLength - offset) return scope.engine->throwRangeError(QStringLiteral("DataView: constructor arguments out of range")); Scoped<DataView> a(scope, scope.engine->memoryManager->allocate<DataView>()); |