Fix potential memory corruption.

The code exploited information that most of types in union use d pointers and that size of d pointer is less or equals then sizeof(QVariant) or sizeof(double). Still the code may suffer from an alignment issue on some exotic platforms. Change-Id: I4ef331f4cdb7177337ddcc8696f78d85e9594d27 Reviewed-on: http://codereview.qt-project.org/4244 Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com> Reviewed-by: Aaron Kennedy <aaron.kennedy@nokia.com> Reviewed-by: Kent Hansen <kent.hansen@nokia.com>
2011-09-05 15:36:19 +02:00 · 2011-09-05 15:36:19 +02:00 · ed438f667c
parent 6cd22a4ca8
commit ed438f667c
1 changed files with 17 additions and 1 deletions
--- a/src/declarative/qml/v8/qv8qobjectwrapper.cpp
+++ b/src/declarative/qml/v8/qv8qobjectwrapper.cpp
@ -120,6 +120,17 @@ public:
 };

 namespace {
+
+template<typename A, typename B, typename C, typename D, typename E>
+class MaxSizeOf5 {
+    template<typename Z, typename X>
+    struct SMax {
+        static const size_t Size = sizeof(Z) > sizeof(X) ? sizeof(Z) : sizeof(X);
+    };
+public:
+    static const size_t Size = SMax<A, SMax<B, SMax<C, SMax<D, E> > > >::Size;
+};
+
 struct MetaCallArgument {
    inline MetaCallArgument();
    inline ~MetaCallArgument();
@ -141,7 +152,12 @@ private:
        bool boolValue;
        QObject *qobjectPtr;

-        char allocData[sizeof(QVariant)];
+        char allocData[MaxSizeOf5<QVariant,
+                                QString,
+                                QList<QObject *>,
+                                QJSValue,
+                                QDeclarativeV8Handle>::Size];
+        qint64 q_for_alignment;
    };

    // Pointers to allocData