2 files changed, 17 insertions, 1 deletions

diff --git a/src/qml/jsruntime/qv4dataview.cpp b/src/qml/jsruntime/qv4dataview.cpp
index 5ab8cf2dcb..da1b91e69a 100644
--- a/src/qml/jsruntime/qv4dataview.cpp
+++ b/src/qml/jsruntime/qv4dataview.cpp
@@ -92,7 +92,7 @@ ReturnedValue DataViewCtor::virtualCallAsConstructor(const FunctionObject *f, co
     uint byteLength = (argc < 3 || argv[2].isUndefined()) ? (bufferLength - offset) : ::toIndex(scope.engine, argv[2]);
     if (scope.hasException())
         return Encode::undefined();
-    if (offset + byteLength > bufferLength)
+    if (offset > bufferLength ||  byteLength > bufferLength - offset)
         return scope.engine->throwRangeError(QStringLiteral("DataView: constructor arguments out of range"));
 
     Scoped<DataView> a(scope, scope.engine->memoryManager->allocate<DataView>());
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index aeb0303899..26737e79c4 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -263,6 +263,7 @@ private slots:
     void arrayIncludesWithLargeArray();
     void printCircularArray();
     void typedArraySet();
+    void dataViewCtor();
 
     void uiLanguage();
 
@@ -5145,6 +5146,21 @@ void tst_QJSEngine::typedArraySet()
     }
 }
 
+void tst_QJSEngine::dataViewCtor()
+{
+    QJSEngine engine;
+    const auto error = engine.evaluate(R"(
+    (function() { try {
+        var buf = new ArrayBuffer(0x200);
+        var vuln = new DataView(buf, 8, 0xfffffff8);
+    } catch (e) {
+        return e;
+    }})()
+    )");
+    QVERIFY(error.isError());
+    QCOMPARE(error.toString(), "RangeError: DataView: constructor arguments out of range");
+}
+
 void tst_QJSEngine::uiLanguage()
 {
     {