Fix out of bounds reads in Array.concat

In some cases, when our simple array data had an offset and data would wrap around, ArrayData::append would write out of bounds data into the new array, leading to crashes. Task-number: QTBUG-51581 Change-Id: I55172542ef0b94d263cfc9a17d7ca49ec6c3a565 Reviewed-by: Simon Hausmann <simon.hausmann@qt.io> (cherry picked from commit f495d4b660107536d0a67ba48e88550278f13893)
author: Lars Knoll <lars.knoll@qt.io> 2018-03-19 15:07:28 +0100
committer: Lars Knoll <lars.knoll@qt.io> 2018-04-03 08:36:56 +0000
commit: 560360a1b7218865b71ae284dc920c38ffdd60d6 (patch)
tree: e844ed90e53afa3c76c1cc7f62b3a7c262163067 /src
parent: eb4f43a3f69c550213ed0b33cd35786a9a7cbc9f (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 0944e6d271..0d950223b0 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -647,7 +647,7 @@ uint ArrayData::append(Object *obj, ArrayObject *otherObj, uint n)
         uint toCopy = n;
         uint chunk = toCopy;
         if (chunk > os->alloc - os->offset)
-            chunk -= os->alloc - os->offset;
+            chunk = os->alloc - os->offset;
         obj->arrayPut(oldSize, os->arrayData + os->offset, chunk);
         toCopy -= chunk;
         if (toCopy)
author	Lars Knoll <lars.knoll@qt.io>	2018-03-19 15:07:28 +0100
committer	Lars Knoll <lars.knoll@qt.io>	2018-04-03 08:36:56 +0000
commit	560360a1b7218865b71ae284dc920c38ffdd60d6 (patch)
tree	e844ed90e53afa3c76c1cc7f62b3a7c262163067 /src
parent	eb4f43a3f69c550213ed0b33cd35786a9a7cbc9f (diff)