From e389ae3c9754b0c6c40a383a666f103c42789630 Mon Sep 17 00:00:00 2001
From: Andrew Kaster <akaster@serenityos.org>
Date: Mon, 31 May 2021 13:08:49 -0600
Subject: [PATCH] LibJS: Ensure shift values in shift_right are modded by 32

The unsigned shift right implementation was already doing this, but
the spec requires a mod32 of rhs before the shift for the signed shift
right implementation as well. Caught by UBSAN and oss-fuzz.
---
 Userland/Libraries/LibJS/Runtime/Value.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibJS/Runtime/Value.cpp b/Userland/Libraries/LibJS/Runtime/Value.cpp
index 0317f35882..f1fa366a31 100644
--- a/Userland/Libraries/LibJS/Runtime/Value.cpp
+++ b/Userland/Libraries/LibJS/Runtime/Value.cpp
@@ -1020,7 +1020,7 @@ Value right_shift(GlobalObject& global_object, Value lhs, Value rhs)
         if (!rhs_numeric.is_finite_number())
             return lhs_numeric;
         auto lhs_i32 = lhs_numeric.to_i32(global_object);
-        auto rhs_u32 = rhs_numeric.to_u32(global_object);
+        auto rhs_u32 = rhs_numeric.to_u32(global_object) % 32;
         return Value(lhs_i32 >> rhs_u32);
     }
     if (both_bigint(lhs_numeric, rhs_numeric)) {