Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-81109

(Ab)use of Proxy in JS leads to nullpointer dereference

XMLWordPrintable

    • 5c681f0f0f220c80f412d36a1b644c3eb5e080df (qt/qtdeclarative/5.14)

      We can construct an invalid Proxy object that crashes the engine as soon as we iterate over it. Realistically speaking, noone is going to abuse Proxy in this semantically completely nonsensical way - but I think the crash is still unintentional.

      /* Crash 1 */
      const v1 = new Proxy(Reflect, Reflect);
      for (const v2 in v1) {}
      
      /* Crash 2 */
      const v3 = { getOwnPropertyDescriptor: eval, getPrototypeOf: eval };
      const v4 = new Proxy(v3, v3);
      for (const v5 in v4) {}
      

      I suspect this has to do with getOwnPropertyDescriptor not returning the expected type (the stack trace points to ProxyObjectOwnPropertyKeyIterator::next), but I'm not too familiar with that part of the code (or Proxy, for that matter).

        For Gerrit Dashboard: QTBUG-81109
        # Subject Branch Project Status CR V

            ulherman Ulf Hermann
            hlt Tobias Holl
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes