[QTBUG-81109] (Ab)use of Proxy in JS leads to nullpointer dereference - Qt Bug Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: P1: Critical
Resolution: Done
Affects Version/s: 5.13.2
Fix Version/s: 5.14.1, 5.15.0 Alpha
Component/s: QML: Declarative and Javascript Engine
Labels:
- earmarked_by_ulf

Commits:
5c681f0f0f220c80f412d36a1b644c3eb5e080df (qt/qtdeclarative/5.14)

Description

We can construct an invalid Proxy object that crashes the engine as soon as we iterate over it. Realistically speaking, noone is going to abuse Proxy in this semantically completely nonsensical way - but I think the crash is still unintentional.

/* Crash 1 */
const v1 = new Proxy(Reflect, Reflect);
for (const v2 in v1) {}

/* Crash 2 */
const v3 = { getOwnPropertyDescriptor: eval, getPrototypeOf: eval };
const v4 = new Proxy(v3, v3);
for (const v5 in v4) {}

I suspect this has to do with getOwnPropertyDescriptor not returning the expected type (the stack trace points to ProxyObjectOwnPropertyKeyIterator::next), but I'm not too familiar with that part of the code (or Proxy, for that matter).

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

Attachments

proxy-nullptr.js
0.2 kB
06 Jan '20 16:27

Options
- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

Gerrit Reviews

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Ulf Hermann

Reporter:: Tobias Holl

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 06 Jan '20 16:29

Updated:: 09 Jan '20 18:18

Resolved:: 08 Jan '20 10:30

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

V4: Don't crash when iterating invalid Proxy objects: Gerrit Review: