QV4::Scope: Forbid calling alloc with qint64

Calling alloc with a qint64 parameter is a good indicator that we got that value from Object::getLength. In that case, the value needs to be sanitized with safeForAllocLength. As a consequence, we notice that method_stringify did indeed use alloc in an usasafe way; this is now fixed. In a few other places, variables had to be changed from unsigned to signed int (as the conversion is now ambiguous). An even stricter check would be to only accepd a value of (not yet existing) "sanitized_size_t" type. However, that requires more effort, at it would each and every call-site, and is thus left as an exercise for later. Pick-to: 6.4 6.2 5.15 Fixes: QTBUG-107619 Change-Id: I3bba9be1e0aea72e11ccb6c168219b4591eb8f5b Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2022-10-12 15:54:50 +0200
committer: Fabian Kosmale <fabian.kosmale@qt.io> 2022-10-13 17:27:28 +0000
commit: 67bb71a051a562da1c778efa6c99cf64922adb80 (patch)
tree: 38f217f2cdc6dd69c3ae6ab191199ce9f0538959 /src/qml/jsruntime/qv4jsonobject.cpp
parent: 0e963a53c04b0dbe172cfb495b4d62dc8e2f31a3 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/src/qml/jsruntime/qv4jsonobject.cpp b/src/qml/jsruntime/qv4jsonobject.cpp
index 4643195cfd..6fc854665c 100644
--- a/src/qml/jsruntime/qv4jsonobject.cpp
+++ b/src/qml/jsruntime/qv4jsonobject.cpp
@@ -904,9 +904,10 @@ ReturnedValue JsonObject::method_stringify(const FunctionObject *b, const Value
     if (o) {
         stringify.replacerFunction = o->as<FunctionObject>();
         if (o->isArrayObject()) {
-            uint arrayLen = o->getLength();
+            int arrayLen = scope.engine->safeForAllocLength(o->getLength());
+            CHECK_EXCEPTION();
             stringify.propertyList = static_cast<QV4::String *>(scope.alloc(arrayLen));
-            for (uint i = 0; i < arrayLen; ++i) {
+            for (int i = 0; i < arrayLen; ++i) {
                 Value *v = stringify.propertyList + i;
                 *v = o->get(i);
                 if (v->as<NumberObject>() || v->as<StringObject>() || v->isNumber())
@@ -914,7 +915,7 @@ ReturnedValue JsonObject::method_stringify(const FunctionObject *b, const Value
                 if (!v->isString()) {
                     v->setM(nullptr);
                 } else {
-                    for (uint j = 0; j <i; ++j) {
+                    for (int j = 0; j <i; ++j) {
                         if (stringify.propertyList[j].m() == v->m()) {
                             v->setM(nullptr);
                             break;
author	Fabian Kosmale <fabian.kosmale@qt.io>	2022-10-12 15:54:50 +0200
committer	Fabian Kosmale <fabian.kosmale@qt.io>	2022-10-13 17:27:28 +0000
commit	67bb71a051a562da1c778efa6c99cf64922adb80 (patch)
tree	38f217f2cdc6dd69c3ae6ab191199ce9f0538959 /src/qml/jsruntime/qv4jsonobject.cpp
parent	0e963a53c04b0dbe172cfb495b4d62dc8e2f31a3 (diff)