Bug 422286: fix accounting of array length when slicing dense arrays. r=mrbkap, a=mconnor.

2024-09-13 09:24:08 -07:00 · 2008-03-11 23:50:55 -07:00 · 2008-03-11 23:50:55 -07:00 · 1ddc65a4a0
commit 1ddc65a4a0
parent 49be829b51
1 changed files with 1 additions and 1 deletions
--- a/js/src/jsarray.c
+++ b/js/src/jsarray.c
@ -2478,7 +2478,7 @@ array_slice(JSContext *cx, uintN argc, jsval *vp)
    if (begin > end)
        begin = end;

-    if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
+    if (OBJ_IS_DENSE_ARRAY(cx, obj) && end <= ARRAY_DENSE_LENGTH(obj)) {
        nobj = js_NewArrayObject(cx, end - begin, obj->dslots + begin);
        if (!nobj)
            return JS_FALSE;