]> git.kaiwu.me - quickjs.git/commitdiff
fixed buffer overflow in TypedArray.prototype.lastIndexOf()
authorFabrice Bellard <fabrice@bellard.org>
Mon, 25 Aug 2025 13:25:41 +0000 (15:25 +0200)
committerFabrice Bellard <fabrice@bellard.org>
Mon, 25 Aug 2025 13:25:41 +0000 (15:25 +0200)
quickjs.c

index 994f032ab858693ce97f262b8eb4b870ed70a8fa..9be149de8a016de1b2bfb19e5aaba454a044e4b7 100644 (file)
--- a/quickjs.c
+++ b/quickjs.c
@@ -53619,22 +53619,12 @@ static JSValue js_typed_array_indexOf(JSContext *ctx, JSValueConst this_val,
     if (special == special_lastIndexOf) {
         k = len - 1;
         if (argc > 1) {
-            if (JS_ToFloat64(ctx, &d, argv[1]))
+            int64_t k1;
+            if (JS_ToInt64Clamp(ctx, &k1, argv[1], -1, len - 1, len))
                 goto exception;
-            if (isnan(d)) {
-                k = 0;
-            } else {
-                if (d >= 0) {
-                    if (d < k) {
-                        k = d;
-                    }
-                } else {
-                    d += len;
-                    if (d < 0)
-                        goto done;
-                    k = d;
-                }
-            }
+            k = k1;
+            if (k < 0)
+                goto done;
         }
         stop = -1;
         inc = -1;