[QTBUG-78955] Freeze or crash in QJSEngine::evaluate() - Qt Bug Tracker

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: P2: Important
Resolution: Unresolved
Affects Version/s: 5.12.5, 5.13.0, 5.14
Fix Version/s: 6.x
Component/s: QML: Declarative and Javascript Engine
Labels:
- found_by_libfuzzer
- qmlnext
Environment:
clang 8.0.1
gcc 9.1.0

Commits:
d1047887a6fd4f890484203a01ee5f1eefc1a20a (qt/qtdeclarative/5.15)

Description

Build and run a simple QCoreApplication:

#include <QCoreApplication>
#include <QJSEngine>

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    QJSEngine().evaluate(QByteArray("Array(1E9)|1"));
    return 0;
}

It will take more than a minute or crash going oom.

It seems as if this could be handled better because:

the JavaScript seems to only return what's behind the "|"
```
Array(1E9)
```
will not freeze at all
```
Array(1E10)|1
```
does not freeze either.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

QTBUG-78955.js
0.0 kB
02 Oct '19 15:25

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Ulf Hermann

Reporter:: Robert Löhning

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 02 Oct '19 15:22

Updated:: 18 Jul '22 15:44

Gerrit Reviews

There are no open Gerrit changes

Show There are 5 closed Gerrit changes

Hide There are 5 closed Gerrit changes

fuzzing: Add JavaScript file causing freeze: Gerrit Review:

Make ScopedValue's CHECK_EXCEPTION also check isInterrupted: Gerrit Review:

RuntimeHelpers: Short-circuit stringToNumber on huge strings: Gerrit Review:

fuzzing: Add JavaScript file which consumes huge memory: Gerrit Review:

Fuzzing: Avoid out-of-memory in QJSEngine::evaluate(): Gerrit Review: