From f289fe3dca487c45417f7b40d51a4830f3369fb1 Mon Sep 17 00:00:00 2001
From: Stephan Bergmann <stephan.bergmann@allotropia.de>
Date: Mon, 5 Feb 2024 12:54:38 +0100
Subject: [PATCH] Prevent JS from creating css::uno::Sequence of negative size

Change-Id: I2449723162744e9ce3cb3e3172ce8acae0adf4db
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/162998
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <stephan.bergmann@allotropia.de>
---
 .../unoembindhelpers/PrimaryBindings.hxx       | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/include/static/unoembindhelpers/PrimaryBindings.hxx b/include/static/unoembindhelpers/PrimaryBindings.hxx
index 6f8005b1656c..61efaf01153b 100644
--- a/include/static/unoembindhelpers/PrimaryBindings.hxx
+++ b/include/static/unoembindhelpers/PrimaryBindings.hxx
@@ -52,6 +52,14 @@ template <typename T> struct UnoInOutParam
     T value;
 };
 
+inline void checkSequenceSize(sal_Int32 size)
+{
+    if (size < 0)
+    {
+        throw std::invalid_argument("negative size");
+    }
+}
+
 template <typename T>
 void checkSequenceAccess(css::uno::Sequence<T> const& sequence, sal_Int32 index)
 {
@@ -64,13 +72,13 @@ void checkSequenceAccess(css::uno::Sequence<T> const& sequence, sal_Int32 index)
 template <typename T> void registerSequence(char const* name)
 {
     emscripten::class_<css::uno::Sequence<T>>(name)
-        .template constructor<sal_Int32>()
+        .constructor(+[](sal_Int32 size) {
+            checkSequenceSize(size);
+            return css::uno::Sequence<T>(size);
+        })
         .function("resize",
                   +[](css::uno::Sequence<T>& self, sal_Int32 size) {
-                      if (size < 0)
-                      {
-                          throw std::invalid_argument("negative size");
-                      }
+                      checkSequenceSize(size);
                       self.realloc(size);
                   })
         .function("size", &css::uno::Sequence<T>::getLength)