QV4String: properly detect overflow when trying to convert to an array index

A wrong overflow detection caused strings like "240000000000" to pass
the conversion, even though they would not fit into a uint when
converted into base-10. This mis-conversion to uint then caused
all sorts of side effects (broken comparisons, wrong listing of
properties, and so on).

So, properly fix the overflow detection by using our numeric private
functions.

Change-Id: Icbf67ac68cf5785d6c77b433c7a45aed5285a8c2
Task-number: QTBUG-56830
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

2 files changed, 10 insertions, 4 deletions

diff --git a/src/qml/jsruntime/qv4string.cpp b/src/qml/jsruntime/qv4string.cpp
index 24a13ddd10..da3c783808 100644
--- a/src/qml/jsruntime/qv4string.cpp
+++ b/src/qml/jsruntime/qv4string.cpp
@@ -40,6 +40,7 @@
 #include "qv4stringobject_p.h"
 #endif
 #include <QtCore/QHash>
+#include <QtCore/private/qnumeric_p.h>
 
 using namespace QV4;
 
@@ -57,10 +58,15 @@ static uint toArrayIndex(const QChar *ch, const QChar *end)
         uint x = ch->unicode() - '0';
         if (x > 9)
             return UINT_MAX;
-        uint n = i*10 + x;
-        if (n < i)
-            // overflow
+
+        uint n;
+        // n = i * 10 + x, with overflow checking
+        if (mul_overflow(i, 10u, &n))
             return UINT_MAX;
+
+        if (add_overflow(n, x, &n))
+            return UINT_MAX;
+
         i = n;
         ++ch;
     }
diff --git a/src/qmldevtools/qmldevtools.pro b/src/qmldevtools/qmldevtools.pro
index 3f199e5971..42fe53ed60 100644
--- a/src/qmldevtools/qmldevtools.pro
+++ b/src/qmldevtools/qmldevtools.pro
@@ -1,6 +1,6 @@
 option(host_build)
 TARGET     = QtQmlDevTools
-QT         = core
+QT         = core core-private
 CONFIG += static internal_module qmldevtools_build
 
 # Don't use pch because the auto-generated header refers to QtBootstrap,