fergalmoran/ladybird
1
0
Fork 0
mirror of https://github.com/fergalmoran/ladybird.git synced 2025-12-22 09:19:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

LibJS: Cast length to signed integer before subtraction

Browse Source 
length is size_t as returned, and so subtracting from it may cause
underflow. We handle this case by just casting it to a signed value, and
the for loop predicate takes care of the rest.
This commit is contained in:
sin-ack
2021-08-07 08:47:38 +00:00
committed by Andreas Kling
parent 3bea3f11e5
commit ab39a94fdf
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp
View File

@@ -1521,7 +1521,7 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::find_last)
// 4. Let k be len - 1.
// 5. Repeat, while k ≥ 0,
for (i64 k = length - 1; k >= 0; --k) {
for (i64 k = static_cast<i64>(length) - 1; k >= 0; --k) {
// a. Let Pk be ! ToString(𝔽(k)).
auto property_name = PropertyName { k };
@@ -1570,7 +1570,7 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::find_last_index)
// 4. Let k be len - 1.
// 5. Repeat, while k ≥ 0,
for (i64 k = length - 1; k >= 0; --k) {
for (i64 k = static_cast<i64>(length) - 1; k >= 0; --k) {
// a. Let Pk be ! ToString(𝔽(k)).
auto property_name = PropertyName { k };