LibWeb/HTML: Avoid potential overflow of index for DOMStringList

The included WPT test passes through -1 which ends up modolo'ing to u32 max at the IDL conversion layer, resulting in an unsigned overflow when checking bounds.
Author: https://github.com/shannonbooth Commit: 1b8a77f98c Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5307 Reviewed-by: https://github.com/tcl3 ✅
2025-07-19 07:22:21 +00:00 · 2025-07-05 22:11:47 +12:00 · 2025-07-05 22:11:47 +12:00 · 1b8a77f98c · 2025-07-05 11:29:35 +00:00
commit 1b8a77f98c
parent 715061fb79
3 changed files with 72 additions and 2 deletions
--- a/Libraries/LibWeb/HTML/DOMStringList.cpp
+++ b/Libraries/LibWeb/HTML/DOMStringList.cpp
@ -43,7 +43,7 @@ Optional<String> DOMStringList::item(u32 index) const
 {
    // The item(index) method steps are to return the indexth item in this's associated list, or null if index plus one
    // is greater than this's associated list's size.
-    if (index + 1 > m_list.size())
+    if (index >= m_list.size())
        return {};

    return m_list.at(index);
@ -58,7 +58,7 @@ bool DOMStringList::contains(StringView string)

 Optional<JS::Value> DOMStringList::item_value(size_t index) const
 {
-    if (index + 1 > m_list.size())
+    if (index >= m_list.size())
        return {};

    return JS::PrimitiveString::create(vm(), m_list.at(index));