diff options
| author | Lars Knoll <lars.knoll@qt.io> | 2018-03-19 15:07:28 +0100 |
|---|---|---|
| committer | Simon Hausmann <simon.hausmann@qt.io> | 2018-03-20 07:33:28 +0000 |
| commit | f495d4b660107536d0a67ba48e88550278f13893 (patch) | |
| tree | d9fd9504b1e0f27ec92afd97c49263d3bebf4fab /src/qml | |
| parent | e1d32c80665c7d90a21138b26cb74dbfc86a63ba (diff) | |
Fix out of bounds reads in Array.concat
In some cases, when our simple array data had an offset and
data would wrap around, ArrayData::append would write out
of bounds data into the new array, leading to crashes.
Task-number: QTBUG-51581
Change-Id: I55172542ef0b94d263cfc9a17d7ca49ec6c3a565
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Diffstat (limited to 'src/qml')
| -rw-r--r-- | src/qml/jsruntime/qv4arraydata.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp index 30c8527f21..b9c0e12305 100644 --- a/src/qml/jsruntime/qv4arraydata.cpp +++ b/src/qml/jsruntime/qv4arraydata.cpp @@ -617,7 +617,7 @@ uint ArrayData::append(Object *obj, ArrayObject *otherObj, uint n) uint toCopy = n; uint chunk = toCopy; if (chunk > os->values.alloc - os->offset) - chunk -= os->values.alloc - os->offset; + chunk = os->values.alloc - os->offset; obj->arrayPut(oldSize, os->values.data() + os->offset, chunk); toCopy -= chunk; if (toCopy) |