Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-81109

(Ab)use of Proxy in JS leads to nullpointer dereference

    XMLWordPrintable

Details

    • 5c681f0f0f220c80f412d36a1b644c3eb5e080df (qt/qtdeclarative/5.14)

    Description

      We can construct an invalid Proxy object that crashes the engine as soon as we iterate over it. Realistically speaking, noone is going to abuse Proxy in this semantically completely nonsensical way - but I think the crash is still unintentional.

      /* Crash 1 */
const v1 = new Proxy(Reflect, Reflect);
for (const v2 in v1) {}

/* Crash 2 */
const v3 = { getOwnPropertyDescriptor: eval, getPrototypeOf: eval };
const v4 = new Proxy(v3, v3);
for (const v5 in v4) {}

      I suspect this has to do with getOwnPropertyDescriptor not returning the expected type (the stack trace points to ProxyObjectOwnPropertyKeyIterator::next), but I'm not too familiar with that part of the code (or Proxy, for that matter).

      Attachments

        1. proxy-nullptr.js
          0.2 kB
          Tobias Holl
        For Gerrit Dashboard: QTBUG-81109
        # Subject Branch Project Status CR V
        285697,5 V4: Don't crash when iterating invalid Proxy objects 5.14 qt/qtdeclarative Status: MERGED +2 0

        Activity

          People

            ulherman Ulf Hermann
            hlt Tobias Holl
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes