Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.2.1, 5.3.0 Beta1
-
None
-
Windows 8, QT5.2 & QT5.3, debug mode, msvc2012 32b/64b
-
932ebc4e7c2a67538a36e311c32e00d434de189e (qtdeclarative)
Description
this small script crash QJSEngine in debug mode
QJSEngine engine;
engine.evaluate( "var obj = { meth: function(a,b,c) {} }; obj.meth.call(1,2,3); ");
stack trace:
...
qv4functionobject.cpp line 380:
ReturnedValue FunctionPrototype::method_call(CallContext *ctx)
{
Scope scope(ctx);
FunctionObject *o = ctx->callData->thisObject.asFunctionObject();
if (!o)
return ctx->throwTypeError();
ScopedCallData callData(scope, ctx->callData->argc ? ctx->callData->argc - 1 : 0);
if (ctx->callData->argc) {
std::copy(ctx->callData->args + 1,
ctx->callData->args + ctx->callData->argc, callData->args);
^^^^^^^^ crash here *
}
callData->thisObject = ctx->argument(0);
return o->call(callData);
}
- std:copy check the destination buffer size against buffer overflow and callData->args size is 1 (SafeValue[1]) because it's dynamically allocated on the internal engine stack.
so if you copy more the one parameter visual c complain.
