Fix heap-buffer-overflow in ecma_collection_append (#3645)

This patch fixes #3628.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu

jerry-core/ecma/base/ecma-helpers-collection.c

@@ -174,7 +174,7 @@ ecma_collection_append (ecma_collection_t *collection_p, /**< value collection *
                         uint32_t count) /**< number of ecma values to append */
 {
   JERRY_ASSERT (collection_p != NULL);
-  if (collection_p->capacity - collection_p->item_count > count)
+  if (collection_p->capacity - collection_p->item_count >= count)
   {
     ecma_collection_reserve (collection_p, count);
   }

tests/jerry/es2015/regression-test-issue-3628.js

@@ -0,0 +1,25 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+var g = Array.bind(0, 0, 0, 0)
+g.prototype = Array;
+class C extends g {}
+class D extends C {
+    constructor(a, b, c) {
+        eval("eval ('super (a, b, c, d)')")
+
+    }
+}
+var d = new D
+assert(d.length === 7);