LibJS: Don't overflow size_t in `Value::to_length()`

Although this is not spec-compliant, we don't have a way to represent objects larger than `NumericLimits<size_t>::max()`. Since this abstract operation is only used when dealing with object size, we don't lose any functionality by taking that limit into account too. This fixes a UBSAN error when compiling with Clang.
author: Daniel Bertalan <dani@danielbertalan.dev> 2021-08-07 23:47:39 +0200
committer: Andreas Kling <kling@serenityos.org> 2021-08-08 10:55:36 +0200
commit: 0e21bf0f23c0f072deadb4e5d085a94525f2b135 (patch)
tree: 281dd1caa1e66fc7f0f093f5f83fd76f7fd71c77 /Userland/Libraries/LibJS/Runtime/Value.cpp
parent: 78e7ff008b51a9a0f4383107359b8bbc5f1d9cee (diff)
download: serenity-0e21bf0f23c0f072deadb4e5d085a94525f2b135.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/Userland/Libraries/LibJS/Runtime/Value.cpp b/Userland/Libraries/LibJS/Runtime/Value.cpp
index f2336f51cb..253d3e43bd 100644
--- a/Userland/Libraries/LibJS/Runtime/Value.cpp
+++ b/Userland/Libraries/LibJS/Runtime/Value.cpp
@@ -760,7 +760,9 @@ size_t Value::to_length(GlobalObject& global_object) const
         return INVALID;
     if (len <= 0)
         return 0;
-    return min(len, MAX_ARRAY_LIKE_INDEX);
+    // FIXME: The spec says that this function's output range is 0 - 2^53-1. But we don't want to overflow the size_t.
+    constexpr double length_limit = sizeof(void*) == 4 ? NumericLimits<size_t>::max() : MAX_ARRAY_LIKE_INDEX;
+    return min(len, length_limit);
 }
 
 // 7.1.22 ToIndex ( argument ), https://tc39.es/ecma262/#sec-toindex
author	Daniel Bertalan <dani@danielbertalan.dev>	2021-08-07 23:47:39 +0200
committer	Andreas Kling <kling@serenityos.org>	2021-08-08 10:55:36 +0200
commit	0e21bf0f23c0f072deadb4e5d085a94525f2b135 (patch)
tree	281dd1caa1e66fc7f0f093f5f83fd76f7fd71c77 /Userland/Libraries/LibJS/Runtime/Value.cpp
parent	78e7ff008b51a9a0f4383107359b8bbc5f1d9cee (diff)
download	serenity-0e21bf0f23c0f072deadb4e5d085a94525f2b135.zip