QQmlComponent: Fix heap buffer overflow with bogus input

Change-Id: I8a725018a5aeb39df370f856cd77d887faa511e3 Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
2017-03-15 11:59:14 +01:00 · 2017-03-15 11:59:14 +01:00 · 30dbe57521
parent b63c210f5a
commit 30dbe57521
2 changed files with 17 additions and 0 deletions
--- a/src/qml/parser/qqmljslexer.cpp
+++ b/src/qml/parser/qqmljslexer.cpp
@ -724,6 +724,11 @@ again:
                return multilineStringLiteral ? T_MULTILINE_STRING_LITERAL : T_STRING_LITERAL;
            } else if (_char == QLatin1Char('\\')) {
                scanChar();
+                if (_codePtr > _endPtr) {
+                    _errorCode = IllegalEscapeSequence;
+                    _errorMessage = QCoreApplication::translate("QQmlParser", "End of file reached at escape sequence");
+                    return T_ERROR;
+                }

                QChar u;

--- a/tests/auto/qml/qqmlparser/tst_qqmlparser.cpp
+++ b/tests/auto/qml/qqmlparser/tst_qqmlparser.cpp
@ -49,6 +49,7 @@ private slots:
    void qmlParser_data();
    void qmlParser();
 #endif
+    void invalidEscapeSequence();

 private:
    QStringList excludedDirs;
@ -192,6 +193,17 @@ void tst_qqmlparser::qmlParser()
 }
 #endif

+void tst_qqmlparser::invalidEscapeSequence()
+{
+    using namespace QQmlJS;
+
+    Engine engine;
+    Lexer lexer(&engine);
+    lexer.setCode(QLatin1String("\"\\"), 1);
+    Parser parser(&engine);
+    parser.parse();
+}
+
 QTEST_MAIN(tst_qqmlparser)

 #include "tst_qqmlparser.moc"