From 79948b7dc4d6c4901eede4f50f353640512e9c94 Mon Sep 17 00:00:00 2001
From: neeldug <5161147+neeldug@users.noreply.github.com>
Date: Mon, 21 Jun 2021 10:54:07 +0100
Subject: [PATCH] fix(boa): fixes unshift maximum size (#1348)

* fix(boa): fixes unshift maximum size

- throws TypeErrException according to spec for len + argCount >
MAX_SAFE_INTEGER

Closes #1306

* fix(boa): fixes Array.protoype.push integer limit exceeded

- adds limit on push
- rephrases message

Closes #1306
---
 boa/src/builtins/array/mod.rs | 10 ++++++++++
 test_ignore.txt               |  1 -
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/boa/src/builtins/array/mod.rs b/boa/src/builtins/array/mod.rs
index 5c13f39bbe..3d614a8929 100644
--- a/boa/src/builtins/array/mod.rs
+++ b/boa/src/builtins/array/mod.rs
@@ -460,6 +460,13 @@ impl Array {
     /// [spec]: https://tc39.es/ecma262/#sec-array.prototype.push
     /// [mdn]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/push
     pub(crate) fn push(this: &Value, args: &[Value], context: &mut Context) -> Result<Value> {
+        let length = this.get_field("length", context)?.to_length(context)?;
+        let arg_count = args.len();
+
+        if length + arg_count > Number::MAX_SAFE_INTEGER as usize {
+            return context.throw_type_error("the length + the number of arguments exceed the maximum safe integer limit");
+        }
+
         let new_array = Self::add_to_array_object(this, args, context)?;
         new_array.get_field("length", context)
     }
@@ -688,6 +695,9 @@ impl Array {
         let arg_c = args.len();
 
         if arg_c > 0 {
+            if len + arg_c > Number::MAX_SAFE_INTEGER as usize {
+                return context.throw_type_error("the length + the number of arguments exceed the maximum safe integer limit");
+            }
             for k in (1..=len).rev() {
                 let from = k.wrapping_sub(1);
                 let to = k.wrapping_add(arg_c).wrapping_sub(1);
diff --git a/test_ignore.txt b/test_ignore.txt
index c3a20814ff..202d3432a9 100644
--- a/test_ignore.txt
+++ b/test_ignore.txt
@@ -13,7 +13,6 @@ feature:json-modules
 arg-length-exceeding-integer-limit
 15.4.4.19-8-c-ii-1
 length-boundaries
-throws-if-integer-limit-exceeded
 
 // These generate a stack overflow
 tco-call