LibJS: Add bounds check to Array.prototype.{find,findIndex}

The number of iterations is limited to the initial array size, but we still need to check if the array did shrink since then before accessing each element. Fixes #1992.
Author: https://github.com/linusg Commit: c14fedd562 Pull-request: https://github.com/SerenityOS/serenity/pull/1993 Issue: https://github.com/SerenityOS/serenity/issues/1992
2025-08-18 08:20:44 +00:00 · 2020-04-28 00:26:00 +01:00 · 2020-04-28 00:26:00 +01:00 · c14fedd562 · 2024-07-19 07:14:03 +09:00
commit c14fedd562
parent 92671be906
2 changed files with 31 additions and 0 deletions
--- a/Libraries/LibJS/Runtime/ArrayPrototype.cpp
+++ b/Libraries/LibJS/Runtime/ArrayPrototype.cpp
@ -441,6 +441,9 @@ Value ArrayPrototype::find(Interpreter& interpreter)
    auto array_size = array->elements().size();

    for (size_t i = 0; i < array_size; ++i) {
+        if (i >= array->elements().size())
+            break;
+
        auto value = array->elements().at(i);
        if (value.is_empty())
            continue;
@ -475,6 +478,9 @@ Value ArrayPrototype::find_index(Interpreter& interpreter)
    auto array_size = array->elements().size();

    for (size_t i = 0; i < array_size; ++i) {
+        if (i >= array->elements().size())
+            break;
+
        auto value = array->elements().at(i);
        if (value.is_empty())
            continue;