From 5c681f0f0f220c80f412d36a1b644c3eb5e080df Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Tue, 7 Jan 2020 09:42:19 +0100
Subject: V4: Don't crash when iterating invalid Proxy objects

Fixes: QTBUG-81109
Change-Id: I97f37c68d33f414d7bffa9b66e0aaed93370dc68
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
---
 src/qml/jsruntime/qv4objectiterator.cpp | 2 +-
 src/qml/jsruntime/qv4proxy.cpp          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/qml/jsruntime/qv4objectiterator.cpp b/src/qml/jsruntime/qv4objectiterator.cpp
index e529b8e86b..65f6fa8b12 100644
--- a/src/qml/jsruntime/qv4objectiterator.cpp
+++ b/src/qml/jsruntime/qv4objectiterator.cpp
@@ -182,7 +182,7 @@ PropertyKey ForInIteratorObject::nextProperty() const
             if (d()->current != d()->object) {
                 o = d()->object;
                 bool shadowed = false;
-                while (o->d() != c->heapObject()) {
+                while (o && o->d() != c->heapObject()) {
                     if (o->getOwnProperty(key) != Attr_Invalid) {
                         shadowed = true;
                         break;
diff --git a/src/qml/jsruntime/qv4proxy.cpp b/src/qml/jsruntime/qv4proxy.cpp
index 9325e2e53b..51f96b9003 100644
--- a/src/qml/jsruntime/qv4proxy.cpp
+++ b/src/qml/jsruntime/qv4proxy.cpp
@@ -515,7 +515,7 @@ ProxyObjectOwnPropertyKeyIterator::ProxyObjectOwnPropertyKeyIterator(ArrayObject
 
 PropertyKey ProxyObjectOwnPropertyKeyIterator::next(const Object *m, Property *pd, PropertyAttributes *attrs)
 {
-    if (index >= len)
+    if (index >= len || m == nullptr)
         return PropertyKey::invalid();
 
     Scope scope(m);
-- 
cgit v1.2.3