mirror of
https://github.com/RGBCube/serenity
synced 2025-07-27 11:27:35 +00:00
LibJS: Fix substr() with negative arguments larger than string length
length_in_code_units() returns a size_t, which is 64-bit unsigned in i686 builds. `size + (i32)int_length` hence produced a 64-bit unsigned result, so a negative value would wrap around and become a very large number. As fix, just omit the cast -- we assign the result of max() to a double anyways. With this, all test262 tests in annexB/built-ins/String/prototype pass.
This commit is contained in:
parent
23cde7685c
commit
1b944b4c41
2 changed files with 4 additions and 1 deletions
|
@ -518,7 +518,7 @@ JS_DEFINE_NATIVE_FUNCTION(StringPrototype::substr)
|
|||
if (Value(int_start).is_negative_infinity())
|
||||
int_start = 0;
|
||||
if (int_start < 0)
|
||||
int_start = max(size + (i32)int_start, 0);
|
||||
int_start = max(size + int_start, 0);
|
||||
|
||||
auto length = vm.argument(1);
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue