From 490ec1ff4e8eecd3abac4796fbe246411205c8d2 Mon Sep 17 00:00:00 2001
From: Simon Hausmann <simon.hausmann@theqtcompany.com>
Date: Thu, 14 Apr 2016 12:40:31 +0200
Subject: Fix memory corruption when calling Array.unshift()

The dequeue offset won't wrap around when n > offset.

[ChangeLog][QtQml] Fix crash with Array.unshift()

Task-number: QTBUG-52065
Change-Id: I5e8b89ec964cd6397100442a5239254bca989a3f
Reviewed-by: Robin Burchell <robin.burchell@viroteck.net>
---
 tests/auto/qml/qjsengine/tst_qjsengine.cpp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'tests/auto/qml/qjsengine')

diff --git a/tests/auto/qml/qjsengine/tst_qjsengine.cpp b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
index 35824c6d00..9a0865c0ac 100644
--- a/tests/auto/qml/qjsengine/tst_qjsengine.cpp
+++ b/tests/auto/qml/qjsengine/tst_qjsengine.cpp
@@ -142,6 +142,7 @@ private slots:
     void functionDeclarationsInConditionals();
 
     void arrayPop_QTBUG_35979();
+    void array_unshift_QTBUG_52065();
 
     void regexpLastMatch();
     void indexedAccesses();
@@ -2999,6 +3000,20 @@ void tst_QJSEngine::arrayPop_QTBUG_35979()
     QCOMPARE(result.toString(), QString("1,3"));
 }
 
+void tst_QJSEngine::array_unshift_QTBUG_52065()
+{
+    QJSEngine eng;
+    QJSValue result = eng.evaluate("[1, 2, 3, 4, 5, 6, 7, 8, 9]");
+    QJSValue unshift = result.property(QStringLiteral("unshift"));
+    unshift.callWithInstance(result, QJSValueList() << QJSValue(0));
+
+    int len = result.property(QStringLiteral("length")).toInt();
+    QCOMPARE(len, 10);
+
+    for (int i = 0; i < len; ++i)
+        QCOMPARE(result.property(i).toInt(), i);
+}
+
 void tst_QJSEngine::regexpLastMatch()
 {
     QJSEngine eng;
-- 
cgit v1.2.3