Fix memory corruption when calling Array.unshift()

The dequeue offset won't wrap around when n > offset. [ChangeLog][QtQml] Fix crash with Array.unshift() Task-number: QTBUG-52065 Change-Id: I5e8b89ec964cd6397100442a5239254bca989a3f Reviewed-by: Robin Burchell <robin.burchell@viroteck.net>
author: Simon Hausmann <simon.hausmann@theqtcompany.com> 2016-04-14 12:40:31 +0200
committer: Simon Hausmann <simon.hausmann@theqtcompany.com> 2016-04-14 13:49:21 +0000
commit: 490ec1ff4e8eecd3abac4796fbe246411205c8d2 (patch)
tree: b4e99cf959efabd42ea90a64ab8e850d438c5b50 /src/qml/jsruntime/qv4arraydata.cpp
parent: d7ca86b61e61f9375f3924397155b05e9c67d632 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index ec0185de64..bd736d775e 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -281,7 +281,13 @@ void SimpleArrayData::push_front(Object *o, const Value *values, uint n)
         Q_ASSERT(o->d()->arrayData->type == Heap::ArrayData::Simple);
         dd = o->d()->arrayData.cast<Heap::SimpleArrayData>();
     }
-    dd->offset = (dd->offset - n) % dd->alloc;
+    if (n <= dd->offset) {
+        dd->offset -= n; // there is enough space left in front
+    } else {
+         // we need to wrap around, so:
+        dd->offset = dd->alloc - // start at the back, but subtract:
+                (n - dd->offset); // the number of items we can put in the free space at the start of the allocated array
+    }
     dd->len += n;
     for (uint i = 0; i < n; ++i)
         dd->data(i) = values[i].asReturnedValue();
author	Simon Hausmann <simon.hausmann@theqtcompany.com>	2016-04-14 12:40:31 +0200
committer	Simon Hausmann <simon.hausmann@theqtcompany.com>	2016-04-14 13:49:21 +0000
commit	490ec1ff4e8eecd3abac4796fbe246411205c8d2 (patch)
tree	b4e99cf959efabd42ea90a64ab8e850d438c5b50 /src/qml/jsruntime/qv4arraydata.cpp
parent	d7ca86b61e61f9375f3924397155b05e9c67d632 (diff)