Avoid buffer-overflow in Array.slice when using fast arrays (#4797)

In the Array.slice method when the engine uses fast arrays the "end" value
was not updated if the input array's length changed. This can occur when the start/end
index normalization executes a method and the length is changed forcefully.
This leads to a buffer-overflow as the element copy reads too much data from the input
array.

JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com

jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c

@@ -872,6 +872,13 @@ ecma_builtin_array_prototype_object_slice (ecma_value_t arg1, /**< start */
         return ecma_make_object_value (new_array_p);
       }
 
+      /* Source array's length could be changed during the start/end normalization.
+       * If the "end" value is greater than the current length, clamp the value to avoid buffer-overflow. */
+      if (ext_from_obj_p->u.array.length < end)
+      {
+        end = ext_from_obj_p->u.array.length;
+      }
+
       ecma_extended_object_t *ext_to_obj_p = (ecma_extended_object_t *) new_array_p;
 
 #if JERRY_ESNEXT