Fix corruption when adding or changing properties of JS objects

Commit 833c99db20 introduced this regression by only moving part of the
value data to the proper offset.

Task-number: QTBUG-53261
Change-Id: I11241c57057a57794bc3ca60ee437206e524f355
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

1 files changed, 8 insertions, 4 deletions

diff --git a/src/qml/jsruntime/qv4internalclass.cpp b/src/qml/jsruntime/qv4internalclass.cpp
index 0bc4b9a7fc..65e83d848c 100644
--- a/src/qml/jsruntime/qv4internalclass.cpp
+++ b/src/qml/jsruntime/qv4internalclass.cpp
@@ -140,16 +140,20 @@ static void insertHoleIntoPropertyData(Object *object, int idx)
     int icSize = object->internalClass()->size;
     int from = qMax(idx, inlineSize);
     int to = from + 1;
-    if (from < icSize)
-        memmove(object->propertyData(to), object->propertyData(from), icSize - from - 1);
+    if (from < icSize) {
+        memmove(object->propertyData(to), object->propertyData(from),
+                (icSize - from - 1) * sizeof(Value));
+    }
     if (from == idx)
         return;
     if (inlineSize < icSize)
         *object->propertyData(inlineSize) = *object->propertyData(inlineSize - 1);
     from = idx;
     to = from + 1;
-    if (from < inlineSize - 1)
-        memmove(object->propertyData(to), object->propertyData(from), inlineSize - from - 1);
+    if (from < inlineSize - 1) {
+        memmove(object->propertyData(to), object->propertyData(from),
+                (inlineSize - from - 1) * sizeof(Value));
+    }
 }
 
 static void removeFromPropertyData(Object *object, int idx, bool accessor = false)