Details
Description
When such excerpt in the Java Script is passed as an argument to C++ function
[,"Argument Two","Argument Three"]
it is called Qt SDK
C:\Qt\4.7.4\src\script\api\qscriptengine.cpp
QStringList QScriptEnginePrivate::stringListFromArray(JSC::ExecState *exec, JSC::JSValue arr) { QStringList lst; uint len = toUInt32(exec, property(exec, arr, exec->propertyNames().length)); for (uint i = 0; i < len; ++i) lst.append(toString(exec, property(exec, arr, i))); return lst; }
then
C:\Qt\4.7.4\src\3rdparty\javascriptcore\JavaScriptCore\runtime\JSString.h
inline UString JSValue::toString(ExecState* exec) const { if (isString()) return static_cast<JSString*>(asCell())->value(exec); if (isInt32()) return exec->globalData().numericStrings.add(asInt32()); if (isDouble()) return exec->globalData().numericStrings.add(asDouble()); if (isTrue()) return "true"; if (isFalse()) return "false"; if (isNull()) return "null"; if (isUndefined()) return "undefined"; ASSERT(isCell()); return asCell()->toString(exec); <=this line causes crash, because asCell() returns NULL }
There is a missing condition to check before
return asCell()->toString(exec);
because
tag() == EmptyValueTag (-7)
Regards
Attachments
For Gerrit Dashboard: QTBUG-21896 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
27777,1 | Fix crash when converting invalid JSValue to string | master | qt/qtscript | Status: MERGED | +2 | 0 |
32121,1 | Fix crash when converting invalid JSValue to string | 4.8 | qt/qt | Status: MERGED | +2 | 0 |