LibJS: Add bounds check to Array.prototype.{find,findIndex}

The number of iterations is limited to the initial array size, but we still need to check if the array did shrink since then before accessing each element. Fixes #1992.
Author: https://github.com/linusg Commit: https://github.com/SerenityOS/serenity/commit/c14fedd5629 Pull-request: https://github.com/SerenityOS/serenity/pull/1993 Issue: https://github.com/SerenityOS/serenity/issues/1992
2025-04-21 12:05:15 +00:00 · 2020-04-28 00:26:00 +01:00 · 2020-04-28 00:26:00 +01:00 · c14fedd562 · 2024-07-19 07:14:03 +09:00
commit c14fedd562
parent 92671be906
2 changed files with 31 additions and 0 deletions
--- a/Libraries/LibJS/Runtime/ArrayPrototype.cpp
+++ b/Libraries/LibJS/Runtime/ArrayPrototype.cpp
@ -441,6 +441,9 @@ Value ArrayPrototype::find(Interpreter& interpreter)
    auto array_size = array->elements().size();

    for (size_t i = 0; i < array_size; ++i) {
+        if (i >= array->elements().size())
+            break;
+
        auto value = array->elements().at(i);
        if (value.is_empty())
            continue;
@ -475,6 +478,9 @@ Value ArrayPrototype::find_index(Interpreter& interpreter)
    auto array_size = array->elements().size();

    for (size_t i = 0; i < array_size; ++i) {
+        if (i >= array->elements().size())
+            break;
+
        auto value = array->elements().at(i);
        if (value.is_empty())
            continue;
--- a/Libraries/LibJS/Tests/array-shrink-during-find-crash.js
+++ b/Libraries/LibJS/Tests/array-shrink-during-find-crash.js
@ -0,0 +1,25 @@
+load("test-common.js");
+
+try {
+    var a, callbackCalled;
+
+    callbackCalled = 0;
+    a = [1, 2, 3, 4, 5];
+    a.find(() => {
+        callbackCalled++;
+        a.pop();
+    });
+    assert(callbackCalled === 3);
+
+    callbackCalled = 0;
+    a = [1, 2, 3, 4, 5];
+    a.findIndex(() => {
+        callbackCalled++;
+        a.pop();
+    });
+    assert(callbackCalled === 3);
+
+    console.log("PASS");
+} catch (e) {
+    console.log("FAIL: " + e);
+}