mirror of
https://github.com/RGBCube/serenity
synced 2025-07-27 10:17:35 +00:00
LibJS: Protect CanonicalIndex against double-to-integer overflow
Explicitly disallow constructing a CanonicalIndex from a floating point type without going through a factory method that will throw when the provided index cannot fit in a u32.
This commit is contained in:
parent
8f46cb83c7
commit
d37d6b3479
3 changed files with 59 additions and 2 deletions
|
@ -6,7 +6,11 @@
|
|||
|
||||
#pragma once
|
||||
|
||||
#include <AK/Concepts.h>
|
||||
#include <AK/NumericLimits.h>
|
||||
#include <AK/Types.h>
|
||||
#include <LibJS/Runtime/Completion.h>
|
||||
#include <LibJS/Runtime/VM.h>
|
||||
|
||||
namespace JS {
|
||||
|
||||
|
@ -24,6 +28,20 @@ public:
|
|||
{
|
||||
}
|
||||
|
||||
template<FloatingPoint T>
|
||||
CanonicalIndex(Type type, T index) = delete;
|
||||
|
||||
template<FloatingPoint T>
|
||||
static ThrowCompletionOr<CanonicalIndex> from_double(VM& vm, Type type, T index)
|
||||
{
|
||||
if (index < static_cast<double>(NumericLimits<u32>::min()))
|
||||
return vm.throw_completion<RangeError>(ErrorType::TypedArrayInvalidIntegerIndex, index);
|
||||
if (index > static_cast<double>(NumericLimits<u32>::max()))
|
||||
return vm.throw_completion<RangeError>(ErrorType::TypedArrayInvalidIntegerIndex, index);
|
||||
|
||||
return CanonicalIndex { type, static_cast<u32>(index) };
|
||||
}
|
||||
|
||||
u32 as_index() const
|
||||
{
|
||||
VERIFY(is_index());
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue