Normative: Recompute count in TA.p.slice (#3255)

Closes #3248. The current algorithm has a bug that can result in OOB reads in the source TA, because _count_ is not correctly recomputed when the source TA is resized during evaluation of the species constructor. (It is currently bounded by _len_, which is recomputed, but this is incorrect because the bounds of the copy loop is not on the length, but instead on how many bytes need to be copied.)
tc39 · Jan 11, 2024 · 22de374 · 22de374
1 parent 92d2410
commit 22de374
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/spec.html b/spec.html
@@ -41112,6 +41112,7 @@ <h1>%TypedArray%.prototype.slice ( _start_, _end_ )</h1>
             1. If IsTypedArrayOutOfBounds(_taRecord_) is *true*, throw a *TypeError* exception.
             1. Set _len_ to TypedArrayLength(_taRecord_).
             1. Set _final_ to min(_final_, _len_).
+            1. Set _count_ to max(_final_ - _k_, 0).
             1. Let _srcType_ be TypedArrayElementType(_O_).
             1. Let _targetType_ be TypedArrayElementType(_A_).
             1. If _srcType_ is _targetType_, then
@@ -41122,7 +41123,7 @@ <h1>%TypedArray%.prototype.slice ( _start_, _end_ )</h1>
               1. Let _srcByteOffset_ be _O_.[[ByteOffset]].
               1. Let _srcByteIndex_ be (_k_ × _elementSize_) + _srcByteOffset_.
               1. Let _targetByteIndex_ be _A_.[[ByteOffset]].
-              1. Let _limit_ be _targetByteIndex_ + min(_count_, _len_) × _elementSize_.
+              1. Let _limit_ be _targetByteIndex_ + (_count_ × _elementSize_).
               1. Repeat, while _targetByteIndex_ &lt; _limit_,
                 1. Let _value_ be GetValueFromBuffer(_srcBuffer_, _srcByteIndex_, ~uint8~, *true*, ~unordered~).
                 1. Perform SetValueInBuffer(_targetBuffer_, _targetByteIndex_, ~uint8~, _value_, *true*, ~unordered~).