From ab2574d75f43ac2600a55f9610ec2009e07e4a93 Mon Sep 17 00:00:00 2001 From: Linus Groh Date: Sun, 3 Jul 2022 01:37:17 +0200 Subject: [PATCH] LibJS: Avoid potential overflow in Array.prototype.toSpliced() The implementation no longer matches the spec text, but I believe that's a bug anyway. No point in allowing array lengths up to 2^53 - 1 when the ArrayCreate AO rejects anything above 2^32 - 1. --- Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp b/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp index 1be2d3f56c8..7147115c3bd 100644 --- a/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp +++ b/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp @@ -1924,7 +1924,10 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::to_spliced) auto new_length_double = static_cast(length) + static_cast(insert_count) - static_cast(actual_delete_count); // 12. If newLen > 2^53 - 1, throw a TypeError exception. - if (new_length_double > MAX_ARRAY_LIKE_INDEX) + // FIXME: ArrayCreate throws for any length > 2^32 - 1, so there's no point in letting + // values up to 2^53 - 1 through (spec issue). This also prevents a potential + // overflow when casting from double to size_t, which is 32 bits on x86. + if (new_length_double > NumericLimits::max()) return vm.throw_completion(global_object, ErrorType::ArrayMaxSize); auto new_length = static_cast(new_length_double);