V4: Avoid integer overflow in DataViewCtor

Fixes: QTBUG-83667 Change-Id: Ia54510bd7c20fb232b117c1ea0fa5facfcd1a9a5 Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2020-04-21 11:28:41 +0200
committer: Fabian Kosmale <fabian.kosmale@qt.io> 2020-04-21 11:36:39 +0200
commit: 152bca765bab4ce55d4a649896c92c3d4a4f1b30 (patch)
tree: 74b57660ef2dbed6cb1984aae93093582df19a86 /tests/auto/qml/qjsengine
parent: 94b46de4050d023ecbb238c2636d7e252f8f5949 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index aeb0303899..26737e79c4 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -263,6 +263,7 @@ private slots:
     void arrayIncludesWithLargeArray();
     void printCircularArray();
     void typedArraySet();
+    void dataViewCtor();
 
     void uiLanguage();
 
@@ -5145,6 +5146,21 @@ void tst_QJSEngine::typedArraySet()
     }
 }
 
+void tst_QJSEngine::dataViewCtor()
+{
+    QJSEngine engine;
+    const auto error = engine.evaluate(R"(
+    (function() { try {
+        var buf = new ArrayBuffer(0x200);
+        var vuln = new DataView(buf, 8, 0xfffffff8);
+    } catch (e) {
+        return e;
+    }})()
+    )");
+    QVERIFY(error.isError());
+    QCOMPARE(error.toString(), "RangeError: DataView: constructor arguments out of range");
+}
+
 void tst_QJSEngine::uiLanguage()
 {
     {
author	Fabian Kosmale <fabian.kosmale@qt.io>	2020-04-21 11:28:41 +0200
committer	Fabian Kosmale <fabian.kosmale@qt.io>	2020-04-21 11:36:39 +0200
commit	152bca765bab4ce55d4a649896c92c3d4a4f1b30 (patch)
tree	74b57660ef2dbed6cb1984aae93093582df19a86 /tests/auto/qml/qjsengine
parent	94b46de4050d023ecbb238c2636d7e252f8f5949 (diff)