From 0e21bf0f23c0f072deadb4e5d085a94525f2b135 Mon Sep 17 00:00:00 2001
From: Daniel Bertalan <dani@danielbertalan.dev>
Date: Sat, 7 Aug 2021 23:47:39 +0200
Subject: [PATCH] LibJS: Don't overflow size_t in `Value::to_length()`

Although this is not spec-compliant, we don't have a way to represent
objects larger than `NumericLimits<size_t>::max()`. Since this abstract
operation is only used when dealing with object size, we don't lose any
functionality by taking that limit into account too.

This fixes a UBSAN error when compiling with Clang.
---
 Userland/Libraries/LibJS/Runtime/Value.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibJS/Runtime/Value.cpp b/Userland/Libraries/LibJS/Runtime/Value.cpp
index f2336f51cb..253d3e43bd 100644
--- a/Userland/Libraries/LibJS/Runtime/Value.cpp
+++ b/Userland/Libraries/LibJS/Runtime/Value.cpp
@@ -760,7 +760,9 @@ size_t Value::to_length(GlobalObject& global_object) const
         return INVALID;
     if (len <= 0)
         return 0;
-    return min(len, MAX_ARRAY_LIKE_INDEX);
+    // FIXME: The spec says that this function's output range is 0 - 2^53-1. But we don't want to overflow the size_t.
+    constexpr double length_limit = sizeof(void*) == 4 ? NumericLimits<size_t>::max() : MAX_ARRAY_LIKE_INDEX;
+    return min(len, length_limit);
 }
 
 // 7.1.22 ToIndex ( argument ), https://tc39.es/ecma262/#sec-toindex