mirrors/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity.git synced 2025-01-24 18:32:28 -05:00
Code Issues Projects Releases Packages Wiki Activity

LibJS: Avoid potential overflow in Array.prototype.toSpliced()

Browse source 
The implementation no longer matches the spec text, but I believe that's
a bug anyway. No point in allowing array lengths up to 2^53 - 1 when the
ArrayCreate AO rejects anything above 2^32 - 1.
This commit is contained in:
Linus Groh 2022-07-03 01:37:17 +02:00
parent 143339767b
commit ab2574d75f
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp
View file

@ -1924,7 +1924,10 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::to_spliced)
auto new_length_double = static_cast<double>(length) + static_cast<double>(insert_count) - static_cast<double>(actual_delete_count);
// 12. If newLen > 2^53 - 1, throw a TypeError exception.
if (new_length_double > MAX_ARRAY_LIKE_INDEX)
// FIXME: ArrayCreate throws for any length > 2^32 - 1, so there's no point in letting
// values up to 2^53 - 1 through (spec issue). This also prevents a potential
// overflow when casting from double to size_t, which is 32 bits on x86.
if (new_length_double > NumericLimits<u32>::max())
return vm.throw_completion<TypeError>(global_object, ErrorType::ArrayMaxSize);
auto new_length = static_cast<size_t>(new_length_double);