Fix out of bounds reads in Array.concat

In some cases, when our simple array data had an offset and data would wrap around, ArrayData::append would write out of bounds data into the new array, leading to crashes. Task-number: QTBUG-51581 Change-Id: I55172542ef0b94d263cfc9a17d7ca49ec6c3a565 Reviewed-by: Simon Hausmann <simon.hausmann@qt.io> (cherry picked from commit f495d4b660107536d0a67ba48e88550278f13893)
author: Lars Knoll <lars.knoll@qt.io> 2018-03-19 15:07:28 +0100
committer: Lars Knoll <lars.knoll@qt.io> 2018-04-03 08:36:56 +0000
commit: 560360a1b7218865b71ae284dc920c38ffdd60d6 (patch)
tree: e844ed90e53afa3c76c1cc7f62b3a7c262163067
parent: eb4f43a3f69c550213ed0b33cd35786a9a7cbc9f (diff)
2 files changed, 15 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 0944e6d271..0d950223b0 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -647,7 +647,7 @@ uint ArrayData::append(Object *obj, ArrayObject *otherObj, uint n)
         uint toCopy = n;
         uint chunk = toCopy;
         if (chunk > os->alloc - os->offset)
-            chunk -= os->alloc - os->offset;
+            chunk = os->alloc - os->offset;
         obj->arrayPut(oldSize, os->arrayData + os->offset, chunk);
         toCopy -= chunk;
         if (toCopy)
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 8b815f7a06..166f17f9e1 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -128,6 +128,7 @@ private slots:
     void JSONparse();
     void arraySort();
     void lookupOnDisappearingProperty();
+    void arrayConcat();
 
     void qRegExpInport_data();
     void qRegExpInport();
@@ -3018,6 +3019,19 @@ void tst_QJSEngine::lookupOnDisappearingProperty()
     QVERIFY(func.call(QJSValueList()<< o).isUndefined());
 }
 
+void tst_QJSEngine::arrayConcat()
+{
+    QJSEngine eng;
+    QJSValue v = eng.evaluate("var x = [1, 2, 3, 4, 5, 6];"
+                              "var y = [];"
+                              "for (var i = 0; i < 5; ++i)"
+                              "    x.shift();"
+                              "for (var i = 10; i < 13; ++i)"
+                              "   x.push(i);"
+                              "x.toString();");
+    QCOMPARE(v.toString(), QString::fromLatin1("6,10,11,12"));
+}
+
 static QRegExp minimal(QRegExp r) { r.setMinimal(true); return r; }
 
 void tst_QJSEngine::qRegExpInport_data()
author	Lars Knoll <lars.knoll@qt.io>	2018-03-19 15:07:28 +0100
committer	Lars Knoll <lars.knoll@qt.io>	2018-04-03 08:36:56 +0000
commit	560360a1b7218865b71ae284dc920c38ffdd60d6 (patch)
tree	e844ed90e53afa3c76c1cc7f62b3a7c262163067
parent	eb4f43a3f69c550213ed0b33cd35786a9a7cbc9f (diff)