From 63e8477a6b1e46139439cc7a0f55e823d29dc9d9 Mon Sep 17 00:00:00 2001
From: Linus Groh <mail@linusgroh.de>
Date: Mon, 17 May 2021 23:20:29 +0100
Subject: LibJS: Handle OOB access in
 GenericIndexedPropertyStorage::take_last()

We already do this for the SimpleIndexedPropertyStorage, so for indexed
properties with GenericIndexedPropertyStorage this would previously
crash. Since overwriting the array-like size with a larger value won't
magically insert values at previously unset indices, we need to handle
such an out of bounds access gracefully and just return an empty value.

Fixes #7043.
---
 Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp b/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp
index ff828cb6b8..a7ae1d54d4 100644
--- a/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp
+++ b/Userland/Libraries/LibJS/Runtime/IndexedProperties.cpp
@@ -160,8 +160,9 @@ ValueAndAttributes GenericIndexedPropertyStorage::take_last()
     m_array_size--;
 
     auto result = m_sparse_elements.get(m_array_size);
+    if (!result.has_value())
+        return {};
     m_sparse_elements.remove(m_array_size);
-    VERIFY(result.has_value());
     return result.value();
 }
 
-- 
cgit v1.2.3