diff options
| author | Ulf Hermann <ulf.hermann@qt.io> | 2025-11-28 10:06:21 +0100 |
|---|---|---|
| committer | Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> | 2025-11-30 22:39:08 +0000 |
| commit | d4e37bb655309acb69f37cca875ac1eb6438fd5a (patch) | |
| tree | 35aadd1248552f01b828c665984d983ae2bb3a22 | |
| parent | 37e9205d97f9ffa71ca91d170dcba14a584c1de5 (diff) | |
QmlCompiler: Don't read out of bounds when analyzing splice()6.10
You can call splice with only one argument, after all.
Pick-to: 6.8 6.5
Fixes: QTBUG-142253
Change-Id: I3dec244325fd4d57a045ec024968e26e4f6372db
Reviewed-by: Olivier De Cannière <olivier.decanniere@qt.io>
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
(cherry picked from commit c094b60fedff5b2a52d0c350ecfa13fb5b9245b0)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
| -rw-r--r-- | src/qmlcompiler/qqmljstypepropagator.cpp | 5 | ||||
| -rw-r--r-- | tests/auto/qml/qmlcppcodegen/data/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | tests/auto/qml/qmlcppcodegen/data/splice.qml | 7 | ||||
| -rw-r--r-- | tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp | 11 |
4 files changed, 22 insertions, 2 deletions
diff --git a/src/qmlcompiler/qqmljstypepropagator.cpp b/src/qmlcompiler/qqmljstypepropagator.cpp index de44549fdb..bafc1751e0 100644 --- a/src/qmlcompiler/qqmljstypepropagator.cpp +++ b/src/qmlcompiler/qqmljstypepropagator.cpp @@ -1978,7 +1978,8 @@ bool QQmlJSTypePropagator::propagateArrayMethod( } if (name == u"splice" && argc > 0) { - for (int i = 0; i < 2; ++i) { + const int startAndDeleteCount = std::min(argc, 2); + for (int i = 0; i < startAndDeleteCount; ++i) { if (!canConvertFromTo(m_state.registers[argv + i].content, intType)) return false; } @@ -1988,7 +1989,7 @@ bool QQmlJSTypePropagator::propagateArrayMethod( return false; } - for (int i = 0; i < 2; ++i) + for (int i = 0; i < startAndDeleteCount; ++i) addReadRegister(argv + i, intType); for (int i = 2; i < argc; ++i) diff --git a/tests/auto/qml/qmlcppcodegen/data/CMakeLists.txt b/tests/auto/qml/qmlcppcodegen/data/CMakeLists.txt index d45bfcc723..79e908c967 100644 --- a/tests/auto/qml/qmlcppcodegen/data/CMakeLists.txt +++ b/tests/auto/qml/qmlcppcodegen/data/CMakeLists.txt @@ -316,6 +316,7 @@ set(qml_files signalsWithLists.qml signatureIgnored.qml specificParent.qml + splice.qml storeElementSideEffects.qml stringArg.qml stringLength.qml diff --git a/tests/auto/qml/qmlcppcodegen/data/splice.qml b/tests/auto/qml/qmlcppcodegen/data/splice.qml new file mode 100644 index 0000000000..71225097d5 --- /dev/null +++ b/tests/auto/qml/qmlcppcodegen/data/splice.qml @@ -0,0 +1,7 @@ +import QtQml + +QtObject { + property list<int> intList: [0, 1, 2, 3] + property list<int> spliced + Component.onCompleted: spliced = intList.splice(2) +} diff --git a/tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp b/tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp index bfca5a7369..70c50b457a 100644 --- a/tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp +++ b/tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp @@ -180,6 +180,7 @@ private slots: void jsArrayMethods(); void jsArrayMethodsWithParams(); void jsArrayMethodsWithParams_data(); + void jsArraySplice(); void jsImport(); void jsMathObject(); void jsmoduleImport(); @@ -3441,6 +3442,16 @@ void tst_QmlCppCodegen::jsArrayMethodsWithParams_data() } } +void tst_QmlCppCodegen::jsArraySplice() +{ + QQmlEngine engine; + QQmlComponent splice(&engine, QUrl(u"qrc:/qt/qml/TestTypes/splice.qml"_s)); + QVERIFY2(splice.isReady(), qPrintable(splice.errorString())); + QScopedPointer<QObject> spliceObject(splice.create()); + QCOMPARE(spliceObject->property("intList").value<QList<int>>(), QList<int>({0, 1})); + QCOMPARE(spliceObject->property("spliced").value<QList<int>>(), QList<int>({2, 3})); +} + void tst_QmlCppCodegen::jsImport() { QQmlEngine engine; |