QV4: Avoid memory corruption in Reflect.apply

This extracts the check from Function.prototype.apply into a shared
function, and uses it in Reflect.apply, which has the same issue.

Task-number: QTBUG-107619
Change-Id: I899464c86554f9bbb5270a95bbe3fe27531e9a27
Reviewed-by: Ulf Hermann <[email protected]>
(cherry picked from commit 0e963a53c04b0dbe172cfb495b4d62dc8e2f31a3)
Reviewed-by: Qt Cherry-pick Bot <[email protected]>

1 files changed, 19 insertions, 0 deletions

diff --git a/src/qml/jsruntime/qv4engine.cpp b/src/qml/jsruntime/qv4engine.cpp
index bf5d437d10..da683da952 100644
--- a/src/qml/jsruntime/qv4engine.cpp
+++ b/src/qml/jsruntime/qv4engine.cpp
@@ -1892,6 +1892,25 @@ int ExecutionEngine::maxGCStackSize() const
     return m_maxGCStackSize;
 }
 
+/*!
+    \internal
+    Returns \a length converted to int if its safe to
+    pass to \c Scope::alloc.
+    Otherwise it throws a RangeError, and returns 0.
+ */
+int ExecutionEngine::safeForAllocLength(qint64 len64)
+{
+    if (len64 < 0ll || len64 > qint64(std::numeric_limits<int>::max())) {
+        this->throwRangeError(QStringLiteral("Invalid array length."));
+        return 0;
+    }
+    if (len64 > qint64(this->jsStackLimit - this->jsStackTop)) {
+        this->throwRangeError(QStringLiteral("Array too large for apply()."));
+        return 0;
+    }
+    return len64;
+}
+
 ReturnedValue ExecutionEngine::global()
 {
     return globalObject->asReturnedValue();