Fix heap-buffer-overflow in ESTable::remove

Fixes a heap-buffer-overflow issue in ESTable::remove due to an off by
one error in the count provided to memmove calls.

Task-number: QTBUG-123999
Pick-to: 6.7 6.5 6.2 5.15
Change-Id: I4ee0fbc16ba8936ea921e5f1d1bb267dae0b1d5f
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>

2 files changed, 64 insertions, 0 deletions

diff --git a/tests/auto/qml/qv4estable/CMakeLists.txt b/tests/auto/qml/qv4estable/CMakeLists.txt
new file mode 100644
index 0000000000..01d2663a04
--- /dev/null
+++ b/tests/auto/qml/qv4estable/CMakeLists.txt
@@ -0,0 +1,24 @@
+# Copyright (C) 2024 The Qt Company Ltd.
+# SPDX-License-Identifier: BSD-3-Clause
+
+#####################################################################
+## tst_qv4estable Test:
+#####################################################################
+
+if(NOT QT_BUILD_STANDALONE_TESTS AND NOT QT_BUILDING_QT)
+    cmake_minimum_required(VERSION 3.16)
+    project(tst_qv4estable LANGUAGES CXX)
+    find_package(Qt6BuildInternals REQUIRED COMPONENTS STANDALONE_TEST)
+endif()
+
+qt_internal_add_test(tst_qv4estable
+    SOURCES
+        tst_qv4estable.cpp
+    LIBRARIES
+        Qt::Gui
+        Qt::Qml
+        Qt::QmlPrivate
+)
+
+## Scopes:
+#####################################################################
diff --git a/tests/auto/qml/qv4estable/tst_qv4estable.cpp b/tests/auto/qml/qv4estable/tst_qv4estable.cpp
new file mode 100644
index 0000000000..45df62b23e
--- /dev/null
+++ b/tests/auto/qml/qv4estable/tst_qv4estable.cpp
@@ -0,0 +1,40 @@
+// Copyright (C) 2024 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only
+
+#include <qtest.h>
+#include <private/qv4estable_p.h>
+
+class tst_qv4estable : public QObject
+{
+    Q_OBJECT
+
+private slots:
+    void checkRemoveAvoidsHeapBufferOverflow();
+};
+
+// QTBUG-123999
+void tst_qv4estable::checkRemoveAvoidsHeapBufferOverflow()
+{
+    QV4::ESTable estable;
+
+    // Fill the ESTable with values so it is at max capacity.
+    QCOMPARE_EQ(estable.m_capacity, 8);
+    for (uint i = 0; i < estable.m_capacity; ++i) {
+        estable.set(QV4::Value::fromUInt32(i), QV4::Value::fromUInt32(i));
+    }
+    // Our |m_keys| array should now contain eight values.
+    // > [v0, v1, v2, v3, v4, v5, v6, v7]
+    for (uint i = 0; i < estable.m_capacity; ++i) {
+        QVERIFY(estable.m_keys[i].sameValueZero(QV4::Value::fromUInt32(i)));
+    }
+    QCOMPARE_EQ(estable.m_capacity, 8);
+    QCOMPARE_EQ(estable.m_size, 8);
+
+    // Remove the first item from the set to verify that asan does not trip.
+    // Relies on the CI platform propagating asan flag to all tests.
+    estable.remove(QV4::Value::fromUInt32(0));
+}
+
+QTEST_MAIN(tst_qv4estable)
+
+#include "tst_qv4estable.moc"