QV4::Scope: Forbid calling alloc with qint64

Calling  alloc with a qint64 parameter is a good indicator that we got
that value from Object::getLength. In that case, the value needs to be
sanitized with safeForAllocLength.

As a consequence, we notice that method_stringify did indeed use alloc
in an usasafe way; this is now fixed.
In a few other places, variables had to be changed from unsigned to
signed int (as the conversion is now ambiguous).

An even stricter check would be to only accepd a value of (not yet
existing) "sanitized_size_t" type. However, that requires more effort,
at it would each and every call-site, and is thus left as an exercise
for later.

Pick-to: 6.4 6.2 5.15
Fixes: QTBUG-107619
Change-Id: I3bba9be1e0aea72e11ccb6c168219b4591eb8f5b
Reviewed-by: Ulf Hermann <[email protected]>

1 files changed, 7 insertions, 7 deletions

diff --git a/src/qml/jsruntime/qv4functionobject.cpp b/src/qml/jsruntime/qv4functionobject.cpp
index fd0c714060..6cc2ca7ab0 100644
--- a/src/qml/jsruntime/qv4functionobject.cpp
+++ b/src/qml/jsruntime/qv4functionobject.cpp
@@ -348,30 +348,30 @@ ReturnedValue FunctionPrototype::method_apply(const QV4::FunctionObject *b, cons
         return v4->throwTypeError();
 
     Scope scope(v4);
-    const uint len = v4->safeForAllocLength(arr->getLength());
+    const int len = v4->safeForAllocLength(arr->getLength());
     CHECK_EXCEPTION();
 
     Value *arguments = scope.alloc<Scope::Uninitialized>(len);
     if (len) {
         if (ArgumentsObject::isNonStrictArgumentsObject(arr) && !arr->cast<ArgumentsObject>()->fullyCreated()) {
             QV4::ArgumentsObject *a = arr->cast<ArgumentsObject>();
-            int l = qMin(len, (uint)a->d()->context->argc());
+            int l = qMin(len, a->d()->context->argc());
             memcpy(arguments, a->d()->context->args(), l*sizeof(Value));
-            for (quint32 i = l; i < len; ++i)
+            for (int i = l; i < len; ++i)
                 arguments[i] = Value::undefinedValue();
         } else if (arr->arrayType() == Heap::ArrayData::Simple && !arr->protoHasArray()) {
             auto sad = static_cast<Heap::SimpleArrayData *>(arr->arrayData());
-            uint alen = sad ? sad->values.size : 0;
+            int alen = sad ? sad->values.size : 0;
             if (alen > len)
                 alen = len;
-            for (uint i = 0; i < alen; ++i)
+            for (int i = 0; i < alen; ++i)
                 arguments[i] = sad->data(i);
-            for (quint32 i = alen; i < len; ++i)
+            for (int i = alen; i < len; ++i)
                 arguments[i] = Value::undefinedValue();
         } else {
             // need to init the arguments array, as the get() calls below can have side effects
             memset(arguments, 0, len*sizeof(Value));
-            for (quint32 i = 0; i < len; ++i)
+            for (int i = 0; i < len; ++i)
                 arguments[i] = arr->get(i);
         }
     }