From 778659c100996947e70ffd7a67ec2bcf748c5082 Mon Sep 17 00:00:00 2001 From: Fabian Kosmale Date: Thu, 19 Jan 2023 10:56:50 +0100 Subject: QJSEngine: Fix potential JS stack overflow cauased by spread operator createSpreadArguments could in theory allocate a (nearly) unbounded number of QV4::Values. Avoid this by checking whether we approach jsStackTop. This fixes CVE-2022-43591. Change-Id: I01aecb979da47b7261688c9f185dc33a50a579a5 Reviewed-by: Ulf Hermann (cherry picked from commit 6511aa4344c1d47ede8546540fe70bdff8523545) --- tests/auto/qml/qjsengine/tst_qjsengine.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'tests/auto/qml/qjsengine/tst_qjsengine.cpp') diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp index 363070d7f8..f1c34e6142 100644 --- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp +++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp @@ -271,6 +271,8 @@ private slots: void uiLanguage(); void forOfAndGc(); + void spreadNoOverflow(); + public: Q_INVOKABLE QJSValue throwingCppMethod1(); Q_INVOKABLE void throwingCppMethod2(); @@ -5339,6 +5341,16 @@ void tst_QJSEngine::forOfAndGc() QTRY_VERIFY(o->property("count").toInt() > 32768); } +void tst_QJSEngine::spreadNoOverflow() +{ + QJSEngine engine; + + const QString program = QString::fromLatin1("var a = [] ;a.length = 555840;Math.max(...a)"); + const QJSValue result = engine.evaluate(program); + QVERIFY(result.isError()); + QCOMPARE(result.errorType(), QJSValue::RangeError); +} + QTEST_MAIN(tst_QJSEngine) #include "tst_qjsengine.moc" -- cgit v1.2.3