From 490ec1ff4e8eecd3abac4796fbe246411205c8d2 Mon Sep 17 00:00:00 2001
From: Simon Hausmann <simon.hausmann@theqtcompany.com>
Date: Thu, 14 Apr 2016 12:40:31 +0200
Subject: Fix memory corruption when calling Array.unshift()

The dequeue offset won't wrap around when n > offset.

[ChangeLog][QtQml] Fix crash with Array.unshift()

Task-number: QTBUG-52065
Change-Id: I5e8b89ec964cd6397100442a5239254bca989a3f
Reviewed-by: Robin Burchell <robin.burchell@viroteck.net>
---
 src/qml/jsruntime/qv4arraydata.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/qml/jsruntime/qv4arraydata.cpp')

diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index ec0185de64..bd736d775e 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -281,7 +281,13 @@ void SimpleArrayData::push_front(Object *o, const Value *values, uint n)
         Q_ASSERT(o->d()->arrayData->type == Heap::ArrayData::Simple);
         dd = o->d()->arrayData.cast<Heap::SimpleArrayData>();
     }
-    dd->offset = (dd->offset - n) % dd->alloc;
+    if (n <= dd->offset) {
+        dd->offset -= n; // there is enough space left in front
+    } else {
+         // we need to wrap around, so:
+        dd->offset = dd->alloc - // start at the back, but subtract:
+                (n - dd->offset); // the number of items we can put in the free space at the start of the allocated array
+    }
     dd->len += n;
     for (uint i = 0; i < n; ++i)
         dd->data(i) = values[i].asReturnedValue();
-- 
cgit v1.2.3