From b7ce1395998464b2f27e4973992b5f7447b34a49 Mon Sep 17 00:00:00 2001
From: Fabian Kosmale <fabian.kosmale@qt.io>
Date: Mon, 6 Jan 2020 16:10:47 +0100
Subject: QV4: Check recursion limit in toString

Change-Id: I18b7a4e00150f6c47c991a5164901159b7f946b9
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
---
 tests/auto/qml/qjsengine/tst_qjsengine.cpp | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'tests')

diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 43c931ecf7..e59114a327 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -256,6 +256,8 @@ private slots:
     void sortSparseArray();
     void compileBrokenRegexp();
 
+    void tostringRecursionCheck();
+
 public:
     Q_INVOKABLE QJSValue throwingCppMethod1();
     Q_INVOKABLE void throwingCppMethod2();
@@ -5020,6 +5022,26 @@ void tst_QJSEngine::compileBrokenRegexp()
     QCOMPARE(value.toString(), "SyntaxError: Invalid flags supplied to RegExp constructor");
 }
 
+void tst_QJSEngine::tostringRecursionCheck()
+{
+    QJSEngine engine;
+    auto value = engine.evaluate(R"js(
+    var a = {};
+    var b = new Array(1337);
+    function main() {
+        var ret = a.toLocaleString;
+        b[1] = ret;
+        Array = {};
+        Object.toString = b[1];
+        var ret = String.prototype.lastIndexOf.call({}, b[1]);
+        var ret = String.prototype.charAt.call(Function, Object);
+    }
+    main();
+    )js");
+    QVERIFY(value.isError());
+    QCOMPARE(value.toString(), QLatin1String("RangeError: Maximum call stack size exceeded."));
+}
+
 QTEST_MAIN(tst_QJSEngine)
 
 #include "tst_qjsengine.moc"
-- 
cgit v1.2.3