1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 01:07:36 +00:00

LibJS: Protect CanonicalIndex against double-to-integer overflow

Explicitly disallow constructing a CanonicalIndex from a floating point
type without going through a factory method that will throw when the
provided index cannot fit in a u32.
This commit is contained in:
Timothy Flynn 2022-12-07 08:11:05 -05:00 committed by Linus Groh
parent 8f46cb83c7
commit d37d6b3479
3 changed files with 59 additions and 2 deletions

View file

@ -6,7 +6,11 @@
#pragma once
#include <AK/Concepts.h>
#include <AK/NumericLimits.h>
#include <AK/Types.h>
#include <LibJS/Runtime/Completion.h>
#include <LibJS/Runtime/VM.h>
namespace JS {
@ -24,6 +28,20 @@ public:
{
}
template<FloatingPoint T>
CanonicalIndex(Type type, T index) = delete;
template<FloatingPoint T>
static ThrowCompletionOr<CanonicalIndex> from_double(VM& vm, Type type, T index)
{
if (index < static_cast<double>(NumericLimits<u32>::min()))
return vm.throw_completion<RangeError>(ErrorType::TypedArrayInvalidIntegerIndex, index);
if (index > static_cast<double>(NumericLimits<u32>::max()))
return vm.throw_completion<RangeError>(ErrorType::TypedArrayInvalidIntegerIndex, index);
return CanonicalIndex { type, static_cast<u32>(index) };
}
u32 as_index() const
{
VERIFY(is_index());