LibJS: Protect CanonicalIndex against double-to-integer overflow

Explicitly disallow constructing a CanonicalIndex from a floating point type without going through a factory method that will throw when the provided index cannot fit in a u32.
2025-07-27 01:07:36 +00:00 · 2022-12-07 08:11:05 -05:00 · 2022-12-07 08:11:05 -05:00 · d37d6b3479
commit d37d6b3479
parent 8f46cb83c7
3 changed files with 59 additions and 2 deletions
--- a/Userland/Libraries/LibJS/Runtime/CanonicalIndex.h
+++ b/Userland/Libraries/LibJS/Runtime/CanonicalIndex.h
@ -6,7 +6,11 @@

 #pragma once

+#include <AK/Concepts.h>
+#include <AK/NumericLimits.h>
 #include <AK/Types.h>
+#include <LibJS/Runtime/Completion.h>
+#include <LibJS/Runtime/VM.h>

 namespace JS {

@ -24,6 +28,20 @@ public:
    {
    }

+    template<FloatingPoint T>
+    CanonicalIndex(Type type, T index) = delete;
+
+    template<FloatingPoint T>
+    static ThrowCompletionOr<CanonicalIndex> from_double(VM& vm, Type type, T index)
+    {
+        if (index < static_cast<double>(NumericLimits<u32>::min()))
+            return vm.throw_completion<RangeError>(ErrorType::TypedArrayInvalidIntegerIndex, index);
+        if (index > static_cast<double>(NumericLimits<u32>::max()))
+            return vm.throw_completion<RangeError>(ErrorType::TypedArrayInvalidIntegerIndex, index);
+
+        return CanonicalIndex { type, static_cast<u32>(index) };
+    }
+
    u32 as_index() const
    {
        VERIFY(is_index());