From d4e37bb655309acb69f37cca875ac1eb6438fd5a Mon Sep 17 00:00:00 2001
From: Ulf Hermann <ulf.hermann@qt.io>
Date: Fri, 28 Nov 2025 10:06:21 +0100
Subject: QmlCompiler: Don't read out of bounds when analyzing splice()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

You can call splice with only one argument, after all.

Pick-to: 6.8 6.5
Fixes: QTBUG-142253
Change-Id: I3dec244325fd4d57a045ec024968e26e4f6372db
Reviewed-by: Olivier De Cannière <olivier.decanniere@qt.io>
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
(cherry picked from commit c094b60fedff5b2a52d0c350ecfa13fb5b9245b0)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp')

diff --git a/tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp b/tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp
index bfca5a7369..70c50b457a 100644
--- a/tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp
+++ b/tests/auto/qml/qmlcppcodegen/tst_qmlcppcodegen.cpp
@@ -180,6 +180,7 @@ private slots:
     void jsArrayMethods();
     void jsArrayMethodsWithParams();
     void jsArrayMethodsWithParams_data();
+    void jsArraySplice();
     void jsImport();
     void jsMathObject();
     void jsmoduleImport();
@@ -3441,6 +3442,16 @@ void tst_QmlCppCodegen::jsArrayMethodsWithParams_data()
     }
 }
 
+void tst_QmlCppCodegen::jsArraySplice()
+{
+    QQmlEngine engine;
+    QQmlComponent splice(&engine, QUrl(u"qrc:/qt/qml/TestTypes/splice.qml"_s));
+    QVERIFY2(splice.isReady(), qPrintable(splice.errorString()));
+    QScopedPointer<QObject> spliceObject(splice.create());
+    QCOMPARE(spliceObject->property("intList").value<QList<int>>(), QList<int>({0, 1}));
+    QCOMPARE(spliceObject->property("spliced").value<QList<int>>(), QList<int>({2, 3}));
+}
+
 void tst_QmlCppCodegen::jsImport()
 {
     QQmlEngine engine;
-- 
cgit v1.2.3