Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 6.4.1, 6.5.0 Beta1, 6.5
Affects Version/s: 5.15, 6.2, 6.4, 6.5
Component/s: QML: Declarative and Javascript Engine
Labels:
- qmlnext

Commits:
67bb71a051 (qt/qtdeclarative/dev) 67bb71a051 (qt/tqtc-qtdeclarative/dev) f1bcb6c2c6 (qt/qtdeclarative/6.4) f1bcb6c2c6 (qt/tqtc-qtdeclarative/6.4) f1bcb6c2c6 (qt/tqtc-qtdeclarative/tqtc/qtinsight-6.4), 94fd52dbb (tqtc/lts-5.15)

Description

We have a few places where we pass the result of getLength() (int64) to Scope::alloc (int). As the result of getLength is user controllable, this can be used to either pass a negative number to alloc, or to allocate huge amounts of memory.

As QML assumes trusted input, that's not a security issue per se, but it's still a potential crash-bug and needs to be fixed

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Qt Qml Team User

Reporter:: Fabian Kosmale

PM Owner:: Vladimir Minenko

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 13 Oct '22 09:04

Updated:: 05 Dec '22 18:37

Resolved:: 13 Oct '22 20:13

Gerrit Reviews

There are no open Gerrit changes

Show There are 8 closed Gerrit changes

Hide There are 8 closed Gerrit changes

QV4: Avoid memory corruption in Reflect.apply: Gerrit Review:

QV4::Scope: Forbid calling alloc with qint64: Gerrit Review:

QV4: Avoid memory corruption in Reflect.apply: Gerrit Review:

QV4::Scope: Forbid calling alloc with qint64: Gerrit Review:

QV4: Avoid memory corruption in Reflect.apply: Gerrit Review:

QV4: Avoid memory corruption in Reflect.apply: Gerrit Review:

QV4::Scope: Forbid calling alloc with qint64: Gerrit Review:

QV4::Scope: Forbid calling alloc with qint64: Gerrit Review: