Fix crash in Function.prototype.bind

Allocating a 0 sized MemberData hits an assertion
in debug builds.

Change-Id: I0251b2b38f4b48c7ed35d22f88c0c5c4a98e6464
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>

1 files changed, 9 insertions, 7 deletions

diff --git a/src/qml/jsruntime/qv4functionobject.cpp b/src/qml/jsruntime/qv4functionobject.cpp
index dc8ee550d5..83608070ec 100644
--- a/src/qml/jsruntime/qv4functionobject.cpp
+++ b/src/qml/jsruntime/qv4functionobject.cpp
@@ -360,13 +360,15 @@ ReturnedValue FunctionPrototype::method_bind(const FunctionObject *b, const Valu
         BoundFunction *bound = static_cast<BoundFunction *>(target.getPointer());
         Scoped<MemberData> oldArgs(scope, bound->boundArgs());
         boundThis = bound->boundThis();
-        int oldSize = oldArgs->size();
-        boundArgs = MemberData::allocate(scope.engine, oldSize + nArgs);
-        boundArgs->d()->values.size = oldSize + nArgs;
-        for (uint i = 0; i < static_cast<uint>(oldSize); ++i)
-            boundArgs->set(scope.engine, i, oldArgs->data()[i]);
-        for (uint i = 0; i < static_cast<uint>(nArgs); ++i)
-            boundArgs->set(scope.engine, oldSize + i, argv[i + 1]);
+        int oldSize = !oldArgs ? 0 : oldArgs->size();
+        if (oldSize + nArgs) {
+            boundArgs = MemberData::allocate(scope.engine, oldSize + nArgs);
+            boundArgs->d()->values.size = oldSize + nArgs;
+            for (uint i = 0; i < static_cast<uint>(oldSize); ++i)
+                boundArgs->set(scope.engine, i, oldArgs->data()[i]);
+            for (uint i = 0; i < static_cast<uint>(nArgs); ++i)
+                boundArgs->set(scope.engine, oldSize + i, argv[i + 1]);
+        }
         target = bound->target();
     } else if (nArgs) {
         boundArgs = MemberData::allocate(scope.engine, nArgs);