diff --git a/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp b/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp index 7147115c3b..6d7e198348 100644 --- a/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp +++ b/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp @@ -1924,13 +1924,10 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::to_spliced) auto new_length_double = static_cast(length) + static_cast(insert_count) - static_cast(actual_delete_count); // 12. If newLen > 2^53 - 1, throw a TypeError exception. - // FIXME: ArrayCreate throws for any length > 2^32 - 1, so there's no point in letting - // values up to 2^53 - 1 through (spec issue). This also prevents a potential - // overflow when casting from double to size_t, which is 32 bits on x86. - if (new_length_double > NumericLimits::max()) + if (new_length_double > MAX_ARRAY_LIKE_INDEX) return vm.throw_completion(global_object, ErrorType::ArrayMaxSize); - auto new_length = static_cast(new_length_double); + auto new_length = static_cast(new_length_double); // 13. Let A be ? ArrayCreate(𝔽(newLen)). auto* array = TRY(Array::create(global_object, new_length)); diff --git a/Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js b/Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js index 231ee425af..3575e50148 100644 --- a/Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js +++ b/Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js @@ -97,4 +97,11 @@ describe("errors", () => { Array.prototype.toSpliced.call(a, 0, 0, "foo"); }).toThrowWithMessage(TypeError, "Maximum array size exceeded"); }); + + test("invalid array length", () => { + const a = { length: 2 ** 32 - 1 }; + expect(() => { + Array.prototype.toSpliced.call(a, 0, 0, "foo"); + }).toThrowWithMessage(RangeError, "Invalid array length"); + }); });