system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-10-07 00:19:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

LibJS: Cast length to signed integer before subtraction

Browse source 
length is size_t as returned, and so subtracting from it may cause
underflow. We handle this case by just casting it to a signed value, and
the for loop predicate takes care of the rest.
This commit is contained in:
sin-ack 2021-08-07 08:47:38 +00:00 committed by Andreas Kling
parent 3bea3f11e5
commit ab39a94fdf
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp
View file

@ -1521,7 +1521,7 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::find_last)
// 4. Let k be len - 1.
// 5. Repeat, while k ≥ 0,
for (i64 k = length - 1; k >= 0; --k) {
for (i64 k = static_cast<i64>(length) - 1; k >= 0; --k) {
// a. Let Pk be ! ToString(𝔽(k)).
auto property_name = PropertyName { k };
@ -1570,7 +1570,7 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::find_last_index)
// 4. Let k be len - 1.
// 5. Repeat, while k ≥ 0,
for (i64 k = length - 1; k >= 0; --k) {
for (i64 k = static_cast<i64>(length) - 1; k >= 0; --k) {
// a. Let Pk be ! ToString(𝔽(k)).
auto property_name = PropertyName { k };