LibJS: Prevent huge memory allocations for bigint left shift

Author: https://github.com/devgianlu Commit: dd0cced92f Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/4482 Reviewed-by: https://github.com/gmta ✅
2025-08-08 09:09:43 +00:00 · 2025-04-25 20:54:37 +02:00 · 2025-04-25 20:54:37 +02:00 · dd0cced92f · 2025-04-28 10:07:09 +00:00
commit dd0cced92f
parent 51a2fb3ffc
2 changed files with 7 additions and 1 deletions
--- a/Libraries/LibJS/Runtime/Value.cpp
+++ b/Libraries/LibJS/Runtime/Value.cpp
@ -1593,8 +1593,13 @@ ThrowCompletionOr<Value> left_shift(VM& vm, Value lhs, Value rhs)
        return Value(lhs_i32 << shift_count);
    }
    if (both_bigint(lhs_numeric, rhs_numeric)) {
+        // AD-HOC: Prevent allocating huge amounts of memory.
+        auto rhs_bigint = rhs_numeric.as_bigint().big_integer().unsigned_value();
+        if (rhs_bigint.byte_length() > sizeof(u32))
+            return vm.throw_completion<RangeError>(ErrorType::BigIntSizeExceeded);
+
        // 6.1.6.2.9 BigInt::leftShift ( x, y ), https://tc39.es/ecma262/#sec-numeric-types-bigint-leftShift
-        auto multiplier_divisor = Crypto::SignedBigInteger { Crypto::NumberTheory::Power(Crypto::UnsignedBigInteger(2), rhs_numeric.as_bigint().big_integer().unsigned_value()) };
+        auto multiplier_divisor = Crypto::SignedBigInteger { Crypto::NumberTheory::Power(Crypto::UnsignedBigInteger(2), rhs_bigint) };

        // 1. If y < 0ℤ, then
        if (rhs_numeric.as_bigint().big_integer().is_negative()) {