Avoid oob access on Array.concat

As we have already determined that we're past the end of the allocated space on the source object by checking os->values.alloc, we should conclude that all the remaining values are undefined. Fixes: QTBUG-81037 Change-Id: I664f22b7eb37c26061e8a9e2f88bcf2a7b6e09f3 Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
author: Ulf Hermann <ulf.hermann@qt.io> 2020-01-02 18:24:13 +0100
committer: Ulf Hermann <ulf.hermann@qt.io> 2020-01-06 13:31:57 +0100
commit: 6fa617524a6d0a2bc988e2dc70e8d719d1b9c282 (patch)
tree: ddfabea02cf1692a1430c22f41fab866dbacd5db /src/qml/jsruntime/qv4arraydata.cpp
parent: c3de85efb9f354907a6c74889d15dacd0fa1eda7 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 654d33b8d1..36a53a7057 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -586,7 +586,7 @@ uint ArrayData::append(Object *obj, ArrayObject *otherObj, uint n)
         obj->arrayPut(oldSize, os->values.data() + os->offset, chunk);
         toCopy -= chunk;
         if (toCopy)
-            obj->arrayPut(oldSize + chunk, os->values.data(), toCopy);
+            obj->setArrayLength(oldSize + chunk + toCopy);
     }
 
     return oldSize + n;
author	Ulf Hermann <ulf.hermann@qt.io>	2020-01-02 18:24:13 +0100
committer	Ulf Hermann <ulf.hermann@qt.io>	2020-01-06 13:31:57 +0100
commit	6fa617524a6d0a2bc988e2dc70e8d719d1b9c282 (patch)
tree	ddfabea02cf1692a1430c22f41fab866dbacd5db /src/qml/jsruntime/qv4arraydata.cpp
parent	c3de85efb9f354907a6c74889d15dacd0fa1eda7 (diff)