LibJS: Handle OOB access in GenericIndexedPropertyStorage::take_last()

We already do this for the SimpleIndexedPropertyStorage, so for indexed properties with GenericIndexedPropertyStorage this would previously crash. Since overwriting the array-like size with a larger value won't magically insert values at previously unset indices, we need to handle such an out of bounds access gracefully and just return an empty value. Fixes #7043.
Author: https://github.com/linusg Commit: https://github.com/SerenityOS/serenity/commit/63e8477a6b1
2021-05-17 23:20:29 +01:00 · 2021-05-17 23:20:29 +01:00 · 63e8477a6b · 2024-07-18 17:53:53 +09:00
commit 63e8477a6b
parent c15121fef7
1 changed files with 2 additions and 1 deletions
--- a/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp
+++ b/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp
@ -160,8 +160,9 @@ ValueAndAttributes GenericIndexedPropertyStorage::take_last()
    m_array_size--;

    auto result = m_sparse_elements.get(m_array_size);
+    if (!result.has_value())
+        return {};
    m_sparse_elements.remove(m_array_size);
-    VERIFY(result.has_value());
    return result.value();
 }