diff options
author | Simon Hausmann <simon.hausmann@theqtcompany.com> | 2016-04-14 12:40:31 +0200 |
---|---|---|
committer | Simon Hausmann <simon.hausmann@theqtcompany.com> | 2016-04-14 13:49:21 +0000 |
commit | 490ec1ff4e8eecd3abac4796fbe246411205c8d2 (patch) | |
tree | b4e99cf959efabd42ea90a64ab8e850d438c5b50 /src | |
parent | d7ca86b61e61f9375f3924397155b05e9c67d632 (diff) |
Fix memory corruption when calling Array.unshift()
The dequeue offset won't wrap around when n > offset.
[ChangeLog][QtQml] Fix crash with Array.unshift()
Task-number: QTBUG-52065
Change-Id: I5e8b89ec964cd6397100442a5239254bca989a3f
Reviewed-by: Robin Burchell <robin.burchell@viroteck.net>
Diffstat (limited to 'src')
-rw-r--r-- | src/qml/jsruntime/qv4arraydata.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp index ec0185de64..bd736d775e 100644 --- a/src/qml/jsruntime/qv4arraydata.cpp +++ b/src/qml/jsruntime/qv4arraydata.cpp @@ -281,7 +281,13 @@ void SimpleArrayData::push_front(Object *o, const Value *values, uint n) Q_ASSERT(o->d()->arrayData->type == Heap::ArrayData::Simple); dd = o->d()->arrayData.cast<Heap::SimpleArrayData>(); } - dd->offset = (dd->offset - n) % dd->alloc; + if (n <= dd->offset) { + dd->offset -= n; // there is enough space left in front + } else { + // we need to wrap around, so: + dd->offset = dd->alloc - // start at the back, but subtract: + (n - dd->offset); // the number of items we can put in the free space at the start of the allocated array + } dd->len += n; for (uint i = 0; i < n; ++i) dd->data(i) = values[i].asReturnedValue(); |