IndexedDB: Impose array key length limit on subkeys

A follow-on to a previous fix[1] to handle the recursive case. A limit
was imposed on key length to prevent OOMs as JS arrays are converted to
IDB keys. Array keys were handled, but not nested arrays.

[1] https://chromium-review.googlesource.com/c/chromium/src/+/2304445

Bug: 1113505
Change-Id: I6eb184cf75e5b39eecfdb79f1d10536d68251452
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2346839
Commit-Queue: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Auto-Submit: Joshua Bell <jsbell@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#796490}

third_party/blink/renderer/bindings/modules/v8/v8_binding_for_modules.cc

@@ -320,7 +320,8 @@ static std::unique_ptr<IDBKey> CreateIDBKeyFromValue(
     } else {
       // A sub-array; push onto the stack and start processing it.
       v8::Local<v8::Array> array = item.As<v8::Array>();
-      if (seen.Contains(array) || stack.size() >= kMaximumDepth) {
+      if (seen.Contains(array) || stack.size() >= kMaximumDepth ||
+          array->Length() > kMaximumArraySize) {
         return IDBKey::CreateInvalid();
       }
 

third_party/blink/renderer/bindings/modules/v8/v8_binding_for_modules_test.cc

@@ -386,6 +386,10 @@ TEST(IDBKeyFromValue, SparseArray) {
   // Ridiculously large sparse array - ensure we check before allocating.
   key = ScriptToKey(scope, "Object.assign([], {length: 2e9})");
   EXPECT_FALSE(key->IsValid());
+
+  // Large sparse arrays as subkeys - ensure we check while recursing.
+  key = ScriptToKey(scope, "[Object.assign([], {length: 2e9})]");
+  EXPECT_FALSE(key->IsValid());
 }
 
 TEST(IDBKeyFromValue, ShrinkingArray) {