From ab39a94fdf54920a3ce2cc85dc77c963bcc7eb2f Mon Sep 17 00:00:00 2001
From: sin-ack <sin-ack@users.noreply.github.com>
Date: Sat, 7 Aug 2021 08:47:38 +0000
Subject: [PATCH] LibJS: Cast length to signed integer before subtraction

length is size_t as returned, and so subtracting from it may cause
underflow. We handle this case by just casting it to a signed value, and
the for loop predicate takes care of the rest.
---
 Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp b/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp
index aa32e12814..1cc0936631 100644
--- a/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp
+++ b/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp
@@ -1521,7 +1521,7 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::find_last)
 
     // 4. Let k be len - 1.
     // 5. Repeat, while k ≥ 0,
-    for (i64 k = length - 1; k >= 0; --k) {
+    for (i64 k = static_cast<i64>(length) - 1; k >= 0; --k) {
         // a. Let Pk be ! ToString(𝔽(k)).
         auto property_name = PropertyName { k };
 
@@ -1570,7 +1570,7 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::find_last_index)
 
     // 4. Let k be len - 1.
     // 5. Repeat, while k ≥ 0,
-    for (i64 k = length - 1; k >= 0; --k) {
+    for (i64 k = static_cast<i64>(length) - 1; k >= 0; --k) {
         // a. Let Pk be ! ToString(𝔽(k)).
         auto property_name = PropertyName { k };