Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.15, 6.2, 6.4, 6.5
-
67bb71a051 (qt/qtdeclarative/dev) 67bb71a051 (qt/tqtc-qtdeclarative/dev) f1bcb6c2c6 (qt/qtdeclarative/6.4) f1bcb6c2c6 (qt/tqtc-qtdeclarative/6.4) f1bcb6c2c6 (qt/tqtc-qtdeclarative/tqtc/qtinsight-6.4), 94fd52dbb (tqtc/lts-5.15)
Description
We have a few places where we pass the result of getLength() (int64) to Scope::alloc (int). As the result of getLength is user controllable, this can be used to either pass a negative number to alloc, or to allocate huge amounts of memory.
As QML assumes trusted input, that's not a security issue per se, but it's still a potential crash-bug and needs to be fixed
Attachments
| For Gerrit Dashboard: QTBUG-107619 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 437789,6 | QV4: Avoid memory corruption in Reflect.apply | dev | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 437921,3 | QV4::Scope: Forbid calling alloc with qint64 | dev | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 438134,2 | QV4: Avoid memory corruption in Reflect.apply | 6.4 | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 438135,2 | QV4::Scope: Forbid calling alloc with qint64 | 6.4 | qt/qtdeclarative | Status: MERGED | +2 | 0 |
| 438136,2 | QV4: Avoid memory corruption in Reflect.apply | tqtc/lts-5.15 | qt/tqtc-qtdeclarative | Status: MERGED | -1 | 0 |
| 438137,2 | QV4: Avoid memory corruption in Reflect.apply | tqtc/lts-6.2 | qt/tqtc-qtdeclarative | Status: MERGED | +2 | 0 |
| 438178,1 | QV4::Scope: Forbid calling alloc with qint64 | tqtc/lts-5.15 | qt/tqtc-qtdeclarative | Status: ABANDONED | +2 | 0 |
| 438179,1 | QV4::Scope: Forbid calling alloc with qint64 | tqtc/lts-6.2 | qt/tqtc-qtdeclarative | Status: ABANDONED | +2 | 0 |