Fix a crash when copying array data

Regression from 5.5. d()->arrayData->alloc can be larger, but never smaller than the allocation of the other's array data. Change-Id: I7d2265768f9d6e6298bfbba0d674a4d0e642422f Task-number: QTBUG-48727 Reviewed-by: Liang Qi <liang.qi@theqtcompany.com> Reviewed-by: Nikita Krupenko <krnekit@gmail.com> Reviewed-by: Simon Hausmann <simon.hausmann@theqtcompany.com>
author: Lars Knoll <lars.knoll@theqtcompany.com> 2015-10-14 14:25:41 +0200
committer: Liang Qi <liang.qi@theqtcompany.com> 2015-10-20 06:47:42 +0000
commit: af390399c8017f69cfc9cdd4ef74144e6810fbe2 (patch)
tree: e33b26d89637636c178131981aec28485d70599e /src/qml/jsruntime
parent: 41dacccfbc53eeb0568a4d0bab766259abe26762 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4object.cpp b/src/qml/jsruntime/qv4object.cpp
index ee3539c176..ba29d52bc6 100644
--- a/src/qml/jsruntime/qv4object.cpp
+++ b/src/qml/jsruntime/qv4object.cpp
@@ -1107,7 +1107,7 @@ void Object::copyArrayData(Object *other)
             dd->len = other->d()->arrayData->len;
             dd->offset = other->d()->arrayData->offset;
         }
-        memcpy(d()->arrayData->arrayData, other->d()->arrayData->arrayData, d()->arrayData->alloc*sizeof(Value));
+        memcpy(d()->arrayData->arrayData, other->d()->arrayData->arrayData, other->d()->arrayData->alloc*sizeof(Value));
     }
     setArrayLengthUnchecked(other->getLength());
 }
author	Lars Knoll <lars.knoll@theqtcompany.com>	2015-10-14 14:25:41 +0200
committer	Liang Qi <liang.qi@theqtcompany.com>	2015-10-20 06:47:42 +0000
commit	af390399c8017f69cfc9cdd4ef74144e6810fbe2 (patch)
tree	e33b26d89637636c178131981aec28485d70599e /src/qml/jsruntime
parent	41dacccfbc53eeb0568a4d0bab766259abe26762 (diff)