QJSEngine: Fix potential JS stack overflow cauased by spread operator

createSpreadArguments could in theory allocate a (nearly) unbounded number of QV4::Values. Avoid this by checking whether we approach jsStackTop. This fixes CVE-2022-43591. Pick-to: 6.5 6.4 6.2 5.15 Change-Id: I01aecb979da47b7261688c9f185dc33a50a579a5 Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2023-01-19 10:56:50 +0100
committer: Fabian Kosmale <fabian.kosmale@qt.io> 2023-01-19 13:24:32 +0100
commit: 6511aa4344c1d47ede8546540fe70bdff8523545 (patch)
tree: 8bedd1f3ac690a4b9215e437bf9d822515475f84 /src
parent: c33bfda8ab1f29cc6fc3d4fc6c5b6b1ec4885d9e (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/qml/jsruntime/qv4runtime.cpp b/src/qml/jsruntime/qv4runtime.cpp
index 69a062a2a2..aa4d5c875a 100644
--- a/src/qml/jsruntime/qv4runtime.cpp
+++ b/src/qml/jsruntime/qv4runtime.cpp
@@ -1539,6 +1539,11 @@ static CallArgs createSpreadArguments(Scope &scope, Value *argv, int argc)
             if (done->booleanValue())
                 break;
             ++argCount;
+            constexpr auto safetyMargin = 100; // leave some space on the stack for actual work with the elements
+            if (qint64(scope.engine->jsStackLimit - scope.engine->jsStackTop) < safetyMargin) {
+                scope.engine->throwRangeError(QLatin1String("Too many elements in array to use it with the spread operator"));
+                        return { nullptr, 0 };
+            }
             v = scope.alloc<Scope::Uninitialized>();
         }
     }
author	Fabian Kosmale <fabian.kosmale@qt.io>	2023-01-19 10:56:50 +0100
committer	Fabian Kosmale <fabian.kosmale@qt.io>	2023-01-19 13:24:32 +0100
commit	6511aa4344c1d47ede8546540fe70bdff8523545 (patch)
tree	8bedd1f3ac690a4b9215e437bf9d822515475f84 /src
parent	c33bfda8ab1f29cc6fc3d4fc6c5b6b1ec4885d9e (diff)