From 6fa617524a6d0a2bc988e2dc70e8d719d1b9c282 Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Thu, 2 Jan 2020 18:24:13 +0100
Subject: Avoid oob access on Array.concat

As we have already determined that we're past the end of the allocated
space on the source object by checking os->values.alloc, we should
conclude that all the remaining values are undefined.

Fixes: QTBUG-81037
Change-Id: I664f22b7eb37c26061e8a9e2f88bcf2a7b6e09f3
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
---
 src/qml/jsruntime/qv4arraydata.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/qml/jsruntime')

diff --git a/src/qml/jsruntime/qv4arraydata.cpp b/src/qml/jsruntime/qv4arraydata.cpp
index 654d33b8d1..36a53a7057 100644
--- a/src/qml/jsruntime/qv4arraydata.cpp
+++ b/src/qml/jsruntime/qv4arraydata.cpp
@@ -586,7 +586,7 @@ uint ArrayData::append(Object *obj, ArrayObject *otherObj, uint n)
         obj->arrayPut(oldSize, os->values.data() + os->offset, chunk);
         toCopy -= chunk;
         if (toCopy)
-            obj->arrayPut(oldSize + chunk, os->values.data(), toCopy);
+            obj->setArrayLength(oldSize + chunk + toCopy);
     }
 
     return oldSize + n;
-- 
cgit v1.2.3