Adding tests for Array.prototype.copyWithin (#2443)

* Adding tests for Array.prototype.copyWithin. This case caused a security bug in Moddable
2025-07-31 01:44:54 +02:00 · 2019-12-18 08:26:19 -08:00 · 2019-12-18 08:26:19 -08:00 · 0ddce199d5
commit 0ddce199d5
parent cadd47aa5f
2 changed files with 105 additions and 0 deletions
--- a/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-start.js
+++ b/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-start.js
@ -0,0 +1,59 @@
+// Copyright (C) 2019 Google. All rights reserved.
+// This code is governed by the BSD license found in the LICENSE file.
+/*---
+esid: sec-array.prototype.copywithin
+description: >
+  SECURITY: start argument is coerced to an integer value
+  and side effects change the length of the array so that
+  the start is out of bounds
+info: |
+  22.1.3.3 Array.prototype.copyWithin (target, start [ , end ] )
+
+  ...
+  8. Let relativeStart be ToInteger(start).
+  ...
+includes: [compareArray.js]
+---*/
+
+
+// make a long integer Array
+function longDenseArray(){
+	var a = [0];
+	for(var i = 0; i < 1024; i++){
+		a[i] = i;
+	}
+	return a;
+}
+
+function shorten(){
+	currArray.length = 20;
+	return 1000;
+}
+
+var array = [];
+array.length = 20;
+
+var currArray = longDenseArray();
+
+assert(
+  compareArray(
+    currArray.copyWithin(0, {valueOf: shorten}), array
+  ),
+  'coercion side-effect makes start out of bounds'
+);
+
+currArray = longDenseArray();
+Object.setPrototypeOf(currArray, longDenseArray());
+
+var array2 = longDenseArray();
+array2.length = 20;
+for(var i = 0; i < 24; i++){
+	array2[i] = Object.getPrototypeOf(currArray)[i+1000];
+}
+
+assert(
+  compareArray(
+    currArray.copyWithin(0, {valueOf: shorten}), array2
+  ),
+  'coercion side-effect makes start out of bounds with prototype'
+);
--- a/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-target.js
+++ b/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-target.js
@ -0,0 +1,46 @@
+// Copyright (C) 2019 Google. All rights reserved.
+// This code is governed by the BSD license found in the LICENSE file.
+/*---
+esid: sec-array.prototype.copywithin
+description: >
+  SECURITY: start argument is coerced to an integer value
+  and side effects change the length of the array so that
+  the target is out of bounds
+info: |
+  22.1.3.3 Array.prototype.copyWithin (target, start [ , end ] )
+
+  ...
+  8. Let relativeStart be ToInteger(start).
+  ...
+includes: [compareArray.js]
+---*/
+
+
+// make a long integer Array
+function longDenseArray(){
+	var a = [0];
+	for(var i = 0; i < 1024; i++){
+		a[i] = i;
+	}
+	return a;
+}
+
+function shorten(){
+	currArray.length = 20;
+	return 1;
+}
+
+var array = longDenseArray();
+array.length = 20;
+for(var i = 0; i < 19; i++){
+	array[i+1000] = array[i+1];
+}
+
+var currArray = longDenseArray();
+
+assert(
+  compareArray(
+    currArray.copyWithin(1000, {valueOf: shorten}), array
+  ),
+  'coercion side-effect makes target out of bounds'
+);