LibJS: Handle OOB access in GenericIndexedPropertyStorage::take_last()

We already do this for the SimpleIndexedPropertyStorage, so for indexed properties with GenericIndexedPropertyStorage this would previously crash. Since overwriting the array-like size with a larger value won't magically insert values at previously unset indices, we need to handle such an out of bounds access gracefully and just return an empty value. Fixes #7043.
author: Linus Groh <mail@linusgroh.de> 2021-05-17 23:20:29 +0100
committer: Linus Groh <mail@linusgroh.de> 2021-05-17 23:20:29 +0100
commit: 63e8477a6b1e46139439cc7a0f55e823d29dc9d9 (patch)
tree: 9e14e3d353646f4b21e19edc93fde4d76a3c5f00
parent: c15121fef7f1a08614d46bbd5fbbbf4130360a86 (diff)
download: serenity-63e8477a6b1e46139439cc7a0f55e823d29dc9d9.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp b/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp
index ff828cb6b8..a7ae1d54d4 100644
--- a/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp
+++ b/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp
@@ -160,8 +160,9 @@ ValueAndAttributes GenericIndexedPropertyStorage::take_last()
     m_array_size--;
 
     auto result = m_sparse_elements.get(m_array_size);
+    if (!result.has_value())
+        return {};
     m_sparse_elements.remove(m_array_size);
-    VERIFY(result.has_value());
     return result.value();
 }
author	Linus Groh <mail@linusgroh.de>	2021-05-17 23:20:29 +0100
committer	Linus Groh <mail@linusgroh.de>	2021-05-17 23:20:29 +0100
commit	63e8477a6b1e46139439cc7a0f55e823d29dc9d9 (patch)
tree	9e14e3d353646f4b21e19edc93fde4d76a3c5f00
parent	c15121fef7f1a08614d46bbd5fbbbf4130360a86 (diff)
download	serenity-63e8477a6b1e46139439cc7a0f55e823d29dc9d9.zip