diff options
author | Lars Knoll <lars.knoll@qt.io> | 2018-03-19 15:07:28 +0100 |
---|---|---|
committer | Simon Hausmann <simon.hausmann@qt.io> | 2018-03-20 07:33:28 +0000 |
commit | f495d4b660107536d0a67ba48e88550278f13893 (patch) | |
tree | d9fd9504b1e0f27ec92afd97c49263d3bebf4fab /tests | |
parent | e1d32c80665c7d90a21138b26cb74dbfc86a63ba (diff) |
Fix out of bounds reads in Array.concat
In some cases, when our simple array data had an offset and
data would wrap around, ArrayData::append would write out
of bounds data into the new array, leading to crashes.
Task-number: QTBUG-51581
Change-Id: I55172542ef0b94d263cfc9a17d7ca49ec6c3a565
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/auto/qml/qjsengine/tst_qjsengine.cpp | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp index 8ffaa96569..8a017fd573 100644 --- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp +++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp @@ -128,6 +128,7 @@ private slots: void JSONparse(); void arraySort(); void lookupOnDisappearingProperty(); + void arrayConcat(); void qRegExpInport_data(); void qRegExpInport(); @@ -3009,6 +3010,19 @@ void tst_QJSEngine::lookupOnDisappearingProperty() QVERIFY(func.call(QJSValueList()<< o).isUndefined()); } +void tst_QJSEngine::arrayConcat() +{ + QJSEngine eng; + QJSValue v = eng.evaluate("var x = [1, 2, 3, 4, 5, 6];" + "var y = [];" + "for (var i = 0; i < 5; ++i)" + " x.shift();" + "for (var i = 10; i < 13; ++i)" + " x.push(i);" + "x.toString();"); + QCOMPARE(v.toString(), QString::fromLatin1("6,10,11,12")); +} + static QRegExp minimal(QRegExp r) { r.setMinimal(true); return r; } void tst_QJSEngine::qRegExpInport_data() |