Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-81109

(Ab)use of Proxy in JS leads to nullpointer dereference

    XMLWordPrintable

    Details

    • Commits:
      5c681f0f0f220c80f412d36a1b644c3eb5e080df (qt/qtdeclarative/5.14)

      Description

      We can construct an invalid Proxy object that crashes the engine as soon as we iterate over it. Realistically speaking, noone is going to abuse Proxy in this semantically completely nonsensical way - but I think the crash is still unintentional.

      /* Crash 1 */
      const v1 = new Proxy(Reflect, Reflect);
      for (const v2 in v1) {}
      
      /* Crash 2 */
      const v3 = { getOwnPropertyDescriptor: eval, getPrototypeOf: eval };
      const v4 = new Proxy(v3, v3);
      for (const v5 in v4) {}
      

      I suspect this has to do with getOwnPropertyDescriptor not returning the expected type (the stack trace points to ProxyObjectOwnPropertyKeyIterator::next), but I'm not too familiar with that part of the code (or Proxy, for that matter).

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            ulherman Ulf Hermann
            Reporter:
            hlt Tobias Holl
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes