LibJS: Prevent huge memory allocations for bigint left shift

Author: https://github.com/devgianlu Commit: dd0cced92f Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/4482 Reviewed-by: https://github.com/gmta ✅
2025-06-10 18:10:56 +09:00 · 2025-04-25 20:54:37 +02:00 · 2025-04-25 20:54:37 +02:00 · dd0cced92f · 2025-04-28 10:07:09 +00:00
commit dd0cced92f
parent 51a2fb3ffc
2 changed files with 7 additions and 1 deletions
--- a/Libraries/LibJS/Runtime/ErrorTypes.h
+++ b/Libraries/LibJS/Runtime/ErrorTypes.h
@ -21,6 +21,7 @@
    M(BigIntBadOperatorOtherType, "Cannot use {} operator with BigInt and other type")                                              \
    M(BigIntFromNonIntegral, "Cannot convert non-integral number to BigInt")                                                        \
    M(BigIntInvalidValue, "Invalid value for BigInt: {}")                                                                           \
+    M(BigIntSizeExceeded, "Maximum BigInt size exceeded")                                                                           \
    M(BindingNotInitialized, "Binding {} is not initialized")                                                                       \
    M(BufferOutOfBounds, "{} contains a property which references a value at an index not contained within its buffer's bounds")    \
    M(ByteLengthExceedsMaxByteLength, "ArrayBuffer byte length of {} exceeds the max byte length of {}")                            \
--- a/Libraries/LibJS/Runtime/Value.cpp
+++ b/Libraries/LibJS/Runtime/Value.cpp
@ -1593,8 +1593,13 @@ ThrowCompletionOr<Value> left_shift(VM& vm, Value lhs, Value rhs)
        return Value(lhs_i32 << shift_count);
    }
    if (both_bigint(lhs_numeric, rhs_numeric)) {
+        // AD-HOC: Prevent allocating huge amounts of memory.
+        auto rhs_bigint = rhs_numeric.as_bigint().big_integer().unsigned_value();
+        if (rhs_bigint.byte_length() > sizeof(u32))
+            return vm.throw_completion<RangeError>(ErrorType::BigIntSizeExceeded);
+
        // 6.1.6.2.9 BigInt::leftShift ( x, y ), https://tc39.es/ecma262/#sec-numeric-types-bigint-leftShift
-        auto multiplier_divisor = Crypto::SignedBigInteger { Crypto::NumberTheory::Power(Crypto::UnsignedBigInteger(2), rhs_numeric.as_bigint().big_integer().unsigned_value()) };
+        auto multiplier_divisor = Crypto::SignedBigInteger { Crypto::NumberTheory::Power(Crypto::UnsignedBigInteger(2), rhs_bigint) };

        // 1. If y < 0ℤ, then
        if (rhs_numeric.as_bigint().big_integer().is_negative()) {