From ed438f667cb33d77d66a1a8dc4edd691f435a61c Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C4=99drzej=20Nowacki?= Date: Mon, 5 Sep 2011 15:36:19 +0200 Subject: [PATCH] Fix potential memory corruption. The code exploited information that most of types in union use d pointers and that size of d pointer is less or equals then sizeof(QVariant) or sizeof(double). Still the code may suffer from an alignment issue on some exotic platforms. Change-Id: I4ef331f4cdb7177337ddcc8696f78d85e9594d27 Reviewed-on: http://codereview.qt-project.org/4244 Reviewed-by: Qt Sanity Bot Reviewed-by: Aaron Kennedy Reviewed-by: Kent Hansen --- src/declarative/qml/v8/qv8qobjectwrapper.cpp | 18 +++++++++++++++++- 1 files changed, 17 insertions(+), 1 deletions(-) diff --git a/src/declarative/qml/v8/qv8qobjectwrapper.cpp b/src/declarative/qml/v8/qv8qobjectwrapper.cpp index 348b6c0..5b5c8be 100644 --- a/src/declarative/qml/v8/qv8qobjectwrapper.cpp +++ b/src/declarative/qml/v8/qv8qobjectwrapper.cpp @@ -120,6 +120,17 @@ public: }; namespace { + +template +class MaxSizeOf5 { + template + struct SMax { + static const size_t Size = sizeof(Z) > sizeof(X) ? sizeof(Z) : sizeof(X); + }; +public: + static const size_t Size = SMax > > >::Size; +}; + struct MetaCallArgument { inline MetaCallArgument(); inline ~MetaCallArgument(); @@ -141,7 +152,12 @@ private: bool boolValue; QObject *qobjectPtr; - char allocData[sizeof(QVariant)]; + char allocData[MaxSizeOf5, + QJSValue, + QDeclarativeV8Handle>::Size]; + qint64 q_for_alignment; }; // Pointers to allocData -- 1.7.2.5