RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-22 19:25:07 +00:00
Code Issues Activity Actions

LibJS: Add bounds check to Array.prototype.{find,findIndex}

Browse source 
The number of iterations is limited to the initial array size, but we
still need to check if the array did shrink since then before accessing
each element.

Fixes #1992.
This commit is contained in:
Linus Groh 2020-04-28 00:26:00 +01:00 committed by Andreas Kling
parent 92671be906
commit c14fedd562
2 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Libraries/LibJS/Runtime/ArrayPrototype.cpp
View file

@ -441,6 +441,9 @@ Value ArrayPrototype::find(Interpreter& interpreter)
auto array_size = array->elements().size(); auto array_size = array->elements().size();
for (size_t i = 0; i < array_size; ++i) { for (size_t i = 0; i < array_size; ++i) {
if (i >= array->elements().size())
break;
auto value = array->elements().at(i); auto value = array->elements().at(i);
if (value.is_empty()) if (value.is_empty())
continue; continue;
@ -475,6 +478,9 @@ Value ArrayPrototype::find_index(Interpreter& interpreter)
auto array_size = array->elements().size(); auto array_size = array->elements().size();
for (size_t i = 0; i < array_size; ++i) { for (size_t i = 0; i < array_size; ++i) {
if (i >= array->elements().size())
break;
auto value = array->elements().at(i); auto value = array->elements().at(i);
if (value.is_empty()) if (value.is_empty())
continue; continue;

25
Libraries/LibJS/Tests/array-shrink-during-find-crash.js Normal file
View file

@ -0,0 +1,25 @@
load("test-common.js");
try {
var a, callbackCalled;
callbackCalled = 0;
a = [1, 2, 3, 4, 5];
a.find(() => {
callbackCalled++;
a.pop();
});
assert(callbackCalled === 3);
callbackCalled = 0;
a = [1, 2, 3, 4, 5];
a.findIndex(() => {
callbackCalled++;
a.pop();
});
assert(callbackCalled === 3);
console.log("PASS");
} catch (e) {
console.log("FAIL: " + e);
}