Fix cases where mark() would access uninitialized memory

Change-Id: I4e07e20d30ba57759a0ece1c298a02b098718b33 Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
author: Lars Knoll <lars.knoll@digia.com> 2013-09-20 15:13:14 +0200
committer: The Qt Project <gerrit-noreply@qt-project.org> 2013-09-22 15:29:00 +0200
commit: 1fb3cd12c8cdc76d1986736fbd60b5810cc17045 (patch)
tree: 700e7e2d29231a57c945e53fe71e2ab2250e8f2a /src/qml/jsruntime/qv4object.cpp
parent: 47bf40dd49f90b52cc1b545b2be3035d48d6199e (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/src/qml/jsruntime/qv4object.cpp b/src/qml/jsruntime/qv4object.cpp
index c2a120c7f3..78b963e12d 100644
--- a/src/qml/jsruntime/qv4object.cpp
+++ b/src/qml/jsruntime/qv4object.cpp
@@ -1202,11 +1202,11 @@ void Object::arrayConcat(const ArrayObject *other)
             ensureArrayAttributes();
             std::fill(arrayAttributes + arrayDataLen, arrayAttributes + oldSize, PropertyAttributes());
         }
-        arrayDataLen = oldSize + other->arrayDataLen;
         if (other->arrayAttributes) {
-            for (int i = 0; i < arrayDataLen; ++i) {
+            for (int i = 0; i < other->arrayDataLen; ++i) {
                 bool exists;
                 arrayData[oldSize + i].value = Value::fromReturnedValue(const_cast<ArrayObject *>(other)->getIndexed(i, &exists));
+                arrayDataLen = oldSize + i + 1;
                 if (arrayAttributes)
                     arrayAttributes[oldSize + i] = Attr_Data;
                 if (!exists) {
@@ -1215,6 +1215,7 @@ void Object::arrayConcat(const ArrayObject *other)
                 }
             }
         } else {
+            arrayDataLen = oldSize + other->arrayDataLen;
             memcpy(arrayData + oldSize, other->arrayData, other->arrayDataLen*sizeof(Property));
             if (arrayAttributes)
                 std::fill(arrayAttributes + oldSize, arrayAttributes + oldSize + other->arrayDataLen, PropertyAttributes(Attr_Data));
@@ -1449,9 +1450,10 @@ ArrayObject::ArrayObject(ExecutionEngine *engine, const QStringList &list)
     // elements converted to JS Strings.
     int len = list.count();
     arrayReserve(len);
-    for (int ii = 0; ii < len; ++ii)
+    for (int ii = 0; ii < len; ++ii) {
         arrayData[ii].value = Value::fromString(engine->newString(list.at(ii)));
-    arrayDataLen = len;
+        arrayDataLen = ii + 1;
+    }
     setArrayLengthUnchecked(len);
 }
author	Lars Knoll <lars.knoll@digia.com>	2013-09-20 15:13:14 +0200
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-09-22 15:29:00 +0200
commit	1fb3cd12c8cdc76d1986736fbd60b5810cc17045 (patch)
tree	700e7e2d29231a57c945e53fe71e2ab2250e8f2a /src/qml/jsruntime/qv4object.cpp
parent	47bf40dd49f90b52cc1b545b2be3035d48d6199e (diff)