From ff302f76a69c33630ed830293567ab86a648f82f Mon Sep 17 00:00:00 2001
From: gavin1012_hw <wanggang203@huawei.com>
Date: Fri, 22 Jul 2022 16:11:51 +0800
Subject: [PATCH] Applying official patch for 'Avoid buffer-overflow in
 Array.slice when using fast arrays'

Related patch: https://github.com/jerryscript-project/jerryscript/pull/4797

Signed-off-by: gavin1012_hw <wanggang203@huawei.com>
---
 .../ecma/builtin-objects/ecma-builtin-array-prototype.c    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c b/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c
index 1faa25d0..29122306 100644
--- a/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c
+++ b/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c
@@ -900,6 +900,13 @@ ecma_builtin_array_prototype_object_slice (ecma_value_t arg1, /**< start */
         return new_array;
       }
 
+      /* Source array's length could be changed during the start/end normalization.
+       * If the "end" value is greater than the current length, clamp the value to avoid buffer-overflow. */
+      if (ext_from_obj_p->u.array.length < end)
+      {
+        end = ext_from_obj_p->u.array.length;
+      }
+
       ecma_extended_object_t *ext_to_obj_p = (ecma_extended_object_t *) new_array_p;
 
 #if ENABLED (JERRY_ES2015)
-- 
Gitee