RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 11:27:35 +00:00
Code Issues Activity Actions

LibJS: Fix substr() with negative arguments larger than string length

Browse source 
length_in_code_units() returns a size_t, which is 64-bit unsigned
in i686 builds. `size + (i32)int_length` hence produced a 64-bit
unsigned result, so a negative value would wrap around and become
a very large number.

As fix, just omit the cast -- we assign the result of max() to
a double anyways.

With this, all test262 tests in annexB/built-ins/String/prototype pass.
This commit is contained in:
Nico Weber 2022-01-13 20:20:06 -05:00 committed by Linus Groh
parent 23cde7685c
commit 1b944b4c41
2 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibJS/Runtime/StringPrototype.cpp
View file

@ -518,7 +518,7 @@ JS_DEFINE_NATIVE_FUNCTION(StringPrototype::substr)
if (Value(int_start).is_negative_infinity())
int_start = 0;
if (int_start < 0)
int_start = max(size + (i32)int_start, 0);
int_start = max(size + int_start, 0);
auto length = vm.argument(1);