diff options
author | Fabian Kosmale <fabian.kosmale@qt.io> | 2023-01-19 10:56:50 +0100 |
---|---|---|
committer | Fabian Kosmale <fabian.kosmale@qt.io> | 2023-01-19 13:24:32 +0100 |
commit | 6511aa4344c1d47ede8546540fe70bdff8523545 (patch) | |
tree | 8bedd1f3ac690a4b9215e437bf9d822515475f84 /src | |
parent | c33bfda8ab1f29cc6fc3d4fc6c5b6b1ec4885d9e (diff) |
QJSEngine: Fix potential JS stack overflow cauased by spread operator
createSpreadArguments could in theory allocate a (nearly) unbounded
number of QV4::Values. Avoid this by checking whether we approach
jsStackTop.
This fixes CVE-2022-43591.
Pick-to: 6.5 6.4 6.2 5.15
Change-Id: I01aecb979da47b7261688c9f185dc33a50a579a5
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
Diffstat (limited to 'src')
-rw-r--r-- | src/qml/jsruntime/qv4runtime.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/qml/jsruntime/qv4runtime.cpp b/src/qml/jsruntime/qv4runtime.cpp index 69a062a2a2..aa4d5c875a 100644 --- a/src/qml/jsruntime/qv4runtime.cpp +++ b/src/qml/jsruntime/qv4runtime.cpp @@ -1539,6 +1539,11 @@ static CallArgs createSpreadArguments(Scope &scope, Value *argv, int argc) if (done->booleanValue()) break; ++argCount; + constexpr auto safetyMargin = 100; // leave some space on the stack for actual work with the elements + if (qint64(scope.engine->jsStackLimit - scope.engine->jsStackTop) < safetyMargin) { + scope.engine->throwRangeError(QLatin1String("Too many elements in array to use it with the spread operator")); + return { nullptr, 0 }; + } v = scope.alloc<Scope::Uninitialized>(); } } |