From 152bca765bab4ce55d4a649896c92c3d4a4f1b30 Mon Sep 17 00:00:00 2001
From: Fabian Kosmale <fabian.kosmale@qt.io>
Date: Tue, 21 Apr 2020 11:28:41 +0200
Subject: V4: Avoid integer overflow in DataViewCtor

Fixes: QTBUG-83667
Change-Id: Ia54510bd7c20fb232b117c1ea0fa5facfcd1a9a5
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
---
 tests/auto/qml/qjsengine/tst_qjsengine.cpp | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'tests/auto/qml/qjsengine')

diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index aeb0303899..26737e79c4 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -263,6 +263,7 @@ private slots:
     void arrayIncludesWithLargeArray();
     void printCircularArray();
     void typedArraySet();
+    void dataViewCtor();
 
     void uiLanguage();
 
@@ -5145,6 +5146,21 @@ void tst_QJSEngine::typedArraySet()
     }
 }
 
+void tst_QJSEngine::dataViewCtor()
+{
+    QJSEngine engine;
+    const auto error = engine.evaluate(R"(
+    (function() { try {
+        var buf = new ArrayBuffer(0x200);
+        var vuln = new DataView(buf, 8, 0xfffffff8);
+    } catch (e) {
+        return e;
+    }})()
+    )");
+    QVERIFY(error.isError());
+    QCOMPARE(error.toString(), "RangeError: DataView: constructor arguments out of range");
+}
+
 void tst_QJSEngine::uiLanguage()
 {
     {
-- 
cgit v1.2.3