From 560360a1b7218865b71ae284dc920c38ffdd60d6 Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@qt.io>
Date: Mon, 19 Mar 2018 15:07:28 +0100
Subject: Fix out of bounds reads in Array.concat

In some cases, when our simple array data had an offset and
data would wrap around, ArrayData::append would write out
of bounds data into the new array, leading to crashes.

Task-number: QTBUG-51581
Change-Id: I55172542ef0b94d263cfc9a17d7ca49ec6c3a565
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
(cherry picked from commit f495d4b660107536d0a67ba48e88550278f13893)
---
 src/qml/jsruntime/qv4arraydata.cpp         |  2 +-
 tests/auto/qml/qjsengine/tst_qjsengine.cpp | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 0944e6d271..0d950223b0 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -647,7 +647,7 @@ uint ArrayData::append(Object *obj, ArrayObject *otherObj, uint n)
         uint toCopy = n;
         uint chunk = toCopy;
         if (chunk > os->alloc - os->offset)
-            chunk -= os->alloc - os->offset;
+            chunk = os->alloc - os->offset;
         obj->arrayPut(oldSize, os->arrayData + os->offset, chunk);
         toCopy -= chunk;
         if (toCopy)
diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 8b815f7a06..166f17f9e1 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -128,6 +128,7 @@ private slots:
     void JSONparse();
     void arraySort();
     void lookupOnDisappearingProperty();
+    void arrayConcat();
 
     void qRegExpInport_data();
     void qRegExpInport();
@@ -3018,6 +3019,19 @@ void tst_QJSEngine::lookupOnDisappearingProperty()
     QVERIFY(func.call(QJSValueList()<< o).isUndefined());
 }
 
+void tst_QJSEngine::arrayConcat()
+{
+    QJSEngine eng;
+    QJSValue v = eng.evaluate("var x = [1, 2, 3, 4, 5, 6];"
+                              "var y = [];"
+                              "for (var i = 0; i < 5; ++i)"
+                              "    x.shift();"
+                              "for (var i = 10; i < 13; ++i)"
+                              "   x.push(i);"
+                              "x.toString();");
+    QCOMPARE(v.toString(), QString::fromLatin1("6,10,11,12"));
+}
+
 static QRegExp minimal(QRegExp r) { r.setMinimal(true); return r; }
 
 void tst_QJSEngine::qRegExpInport_data()
-- 
cgit v1.2.3