An integer overflow in DataViewCtor::virtualCallAsConstructor (qv4dataview.cpp:95) allows arbitrary¹ out-of-bounds memory reads and writes:
Here, the DataView has a very large length, but passes the check in the constructor (line 95) because offset + byteLength overflows (to 0) and is therefore smaller than the bufferLength = buffer->d()
>data>size provided by the underlying ArrayBuffer. The example only performs reads, but of course setUint8 also works.
A similar bug in TypedArray.prototype.set was fixed in
QTBUG-81102 (and I suspect a fix will look very similar).
Credit for discovering this bug goes to the pasten CTF team, who used it to obtain arbitrary code execution at hxp 36C3 CTF's vvvv challenge².
¹ Access is limited to the 2³² bytes (4 GiB) past the beginning of the memory of the underlying ArrayBuffer, although that is not a very significant restriction in practice.