LibJS: Don't overflow size_t in Value::to_length()

Although this is not spec-compliant, we don't have a way to represent objects larger than `NumericLimits<size_t>::max()`. Since this abstract operation is only used when dealing with object size, we don't lose any functionality by taking that limit into account too. This fixes a UBSAN error when compiling with Clang.
Author: https://github.com/BertalanD Commit: https://github.com/SerenityOS/serenity/commit/0e21bf0f23c Pull-request: https://github.com/SerenityOS/serenity/pull/8718 Issue: https://github.com/SerenityOS/serenity/issues/363 Reviewed-by: https://github.com/gunnarbeutner ✅ Reviewed-by: https://github.com/nico
2024-12-04 05:20:30 +00:00 · 2021-08-07 23:47:39 +02:00 · 2021-08-07 23:47:39 +02:00 · 0e21bf0f23 · 2024-07-18 07:15:08 +09:00
commit 0e21bf0f23
parent 78e7ff008b
1 changed files with 3 additions and 1 deletions
--- a/Userland/Libraries/LibJS/Runtime/Value.cpp
+++ b/Userland/Libraries/LibJS/Runtime/Value.cpp
@ -760,7 +760,9 @@ size_t Value::to_length(GlobalObject& global_object) const
        return INVALID;
    if (len <= 0)
        return 0;
-    return min(len, MAX_ARRAY_LIKE_INDEX);
+    // FIXME: The spec says that this function's output range is 0 - 2^53-1. But we don't want to overflow the size_t.
+    constexpr double length_limit = sizeof(void*) == 4 ? NumericLimits<size_t>::max() : MAX_ARRAY_LIKE_INDEX;
+    return min(len, length_limit);
 }

 // 7.1.22 ToIndex ( argument ), https://tc39.es/ecma262/#sec-toindex