Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 5.6.3
Affects Version/s: 5.6.0
Component/s: QML: Declarative and Javascript Engine
Labels:
None
Environment:
Mac OS X 10.11.4 Qt 5.6.0

Not sure if this happens in earlier versions of Qt.

Commits:
3a45458b96bdcbccc189aabf668e998ea03be46f

Description

If you attempt to use call or apply on Array.prototype.join and use an invalid object as the this argument, Qt will segfault.

Example:

// Works fine with a normal array
Array.prototype.join.call([0, 1]);

// Works fine with this array-like object:
Array.prototype.join.call({
  "length": 2,
  "0": 0,
  "1": 1
});

// Invalid, but will not cause a segfault
Array.prototype.join.call(function(){});

// Will cause a segfault
Array.prototype.join.call(0);
Array.prototype.join.call(null);
Array.prototype.join.call(true);
Array.prototype.join.call();

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Robin Burchell

Reporter:: empyrical

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 27 May '16 17:47

Updated:: 30 Sep '16 11:42

Resolved:: 30 Sep '16 11:42

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

Fix crash on Array.prototype.join.call(0): Gerrit Review: