diff options
| author | Simon Hausmann <simon.hausmann@theqtcompany.com> | 2016-04-14 12:40:31 +0200 |
|---|---|---|
| committer | Simon Hausmann <simon.hausmann@theqtcompany.com> | 2016-04-14 13:49:21 +0000 |
| commit | 490ec1ff4e8eecd3abac4796fbe246411205c8d2 (patch) | |
| tree | b4e99cf959efabd42ea90a64ab8e850d438c5b50 | |
| parent | d7ca86b61e61f9375f3924397155b05e9c67d632 (diff) | |
Fix memory corruption when calling Array.unshift()
The dequeue offset won't wrap around when n > offset.
[ChangeLog][QtQml] Fix crash with Array.unshift()
Task-number: QTBUG-52065
Change-Id: I5e8b89ec964cd6397100442a5239254bca989a3f
Reviewed-by: Robin Burchell <robin.burchell@viroteck.net>
| -rw-r--r-- | src/qml/jsruntime/qv4arraydata.cpp | 8 | ||||
| -rw-r--r-- | tests/auto/qml/qjsengine/tst_qjsengine.cpp | 15 |
2 files changed, 22 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp index ec0185de64..bd736d775e 100644 --- a/src/qml/jsruntime/qv4arraydata.cpp +++ b/src/qml/jsruntime/qv4arraydata.cpp @@ -281,7 +281,13 @@ void SimpleArrayData::push_front(Object *o, const Value *values, uint n) Q_ASSERT(o->d()->arrayData->type == Heap::ArrayData::Simple); dd = o->d()->arrayData.cast<Heap::SimpleArrayData>(); } - dd->offset = (dd->offset - n) % dd->alloc; + if (n <= dd->offset) { + dd->offset -= n; // there is enough space left in front + } else { + // we need to wrap around, so: + dd->offset = dd->alloc - // start at the back, but subtract: + (n - dd->offset); // the number of items we can put in the free space at the start of the allocated array + } dd->len += n; for (uint i = 0; i < n; ++i) dd->data(i) = values[i].asReturnedValue(); diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp index 35824c6d00..9a0865c0ac 100644 --- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp +++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp @@ -142,6 +142,7 @@ private slots: void functionDeclarationsInConditionals(); void arrayPop_QTBUG_35979(); + void array_unshift_QTBUG_52065(); void regexpLastMatch(); void indexedAccesses(); @@ -2999,6 +3000,20 @@ void tst_QJSEngine::arrayPop_QTBUG_35979() QCOMPARE(result.toString(), QString("1,3")); } +void tst_QJSEngine::array_unshift_QTBUG_52065() +{ + QJSEngine eng; + QJSValue result = eng.evaluate("[1, 2, 3, 4, 5, 6, 7, 8, 9]"); + QJSValue unshift = result.property(QStringLiteral("unshift")); + unshift.callWithInstance(result, QJSValueList() << QJSValue(0)); + + int len = result.property(QStringLiteral("length")).toInt(); + QCOMPARE(len, 10); + + for (int i = 0; i < len; ++i) + QCOMPARE(result.property(i).toInt(), i); +} + void tst_QJSEngine::regexpLastMatch() { QJSEngine eng; |