Fix heap-buffer-overflow in ESTable::remove

Fixes a heap-buffer-overflow issue in ESTable::remove due to an off by
one error in the count provided to memmove calls.

Task-number: QTBUG-123999
Pick-to: 6.7 6.5 6.2 5.15
Change-Id: I4ee0fbc16ba8936ea921e5f1d1bb267dae0b1d5f
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>

1 files changed, 10 insertions, 13 deletions

diff --git a/src/qml/jsruntime/qv4estable.cpp b/src/qml/jsruntime/qv4estable.cpp
index ebd62db1b5..fb36b10728 100644
--- a/src/qml/jsruntime/qv4estable.cpp
+++ b/src/qml/jsruntime/qv4estable.cpp
@@ -111,21 +111,18 @@ ReturnedValue ESTable::get(const Value &key, bool *hasValue) const
 // Removes the given \a key from the table
 bool ESTable::remove(const Value &key)
 {
-    bool found = false;
-    uint idx = 0;
-    for (; idx < m_size; ++idx) {
-        if (m_keys[idx].sameValueZero(key)) {
-            found = true;
-            break;
+    for (uint index = 0; index < m_size; ++index) {
+        if (m_keys[index].sameValueZero(key)) {
+            // Remove the element at |index| by moving all elements to the right
+            // of |index| one place to the left.
+            size_t count = (m_size - (index + 1)) * sizeof(Value);
+            memmove(m_keys + index, m_keys + index + 1, count);
+            memmove(m_values + index, m_values + index + 1, count);
+            m_size--;
+            return true;
         }
     }
-
-    if (found == true) {
-        memmove(m_keys + idx, m_keys + idx + 1, (m_size - idx)*sizeof(Value));
-        memmove(m_values + idx, m_values + idx + 1, (m_size - idx)*sizeof(Value));
-        m_size--;
-    }
-    return found;
+    return false;
 }
 
 // Returns the size of the table. Note that the size may not match the underlying allocation.