Bug 620376 - ArrayToIdVector from jsproxy.cpp should check for operation callback invocations. r=gal

2024-09-13 09:24:08 -07:00 · 2010-12-21 11:21:26 +01:00 · 2010-12-21 11:21:26 +01:00 · 3e0168d2c2
commit 3e0168d2c2
parent 603766b9f3
4 changed files with 45 additions and 3 deletions
--- a/js/src/jsproxy.cpp
+++ b/js/src/jsproxy.cpp
@ -407,14 +407,14 @@ ArrayToIdVector(JSContext *cx, const Value &array, AutoIdVector &props)

    JSObject *obj = &array.toObject();
    jsuint length;
-    if (!js_GetLengthProperty(cx, obj, &length)) {
-        JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_BAD_ARRAY_LENGTH);
+    if (!js_GetLengthProperty(cx, obj, &length))
        return false;
-    }

    AutoIdRooter idr(cx);
    AutoValueRooter tvr(cx);
    for (jsuint n = 0; n < length; ++n) {
+        if (!JS_CHECK_OPERATION_LIMIT(cx))
+            return false;
        if (!js_IndexToId(cx, n, idr.addr()))
            return false;
        if (!obj->getProperty(cx, idr.id(), tvr.addr()))
--- a/js/src/tests/js1_8_5/regress/jstests.list
+++ b/js/src/tests/js1_8_5/regress/jstests.list
@ -60,3 +60,5 @@ script regress-617405-2.js
 script regress-618572.js
 skip-if(!xulRuntime.shell) script regress-618576.js  # uses evalcx
 fails-if(!xulRuntime.shell) script regress-618652.js
+script regress-620376-1.js
+script regress-620376-2.js
--- a/js/src/tests/js1_8_5/regress/regress-620376-1.js
+++ b/js/src/tests/js1_8_5/regress/regress-620376-1.js
@ -0,0 +1,21 @@
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ * Contributors: Igor Bukanov
+ */
+
+function test() {
+    if (typeof timeout != "function")
+	return;
+
+    var p = Proxy.create({ enumerate: function() { return Array(1e9); }});
+
+    expectExitCode(6);
+    timeout(0.001);
+
+    var n = 0;
+    for (i in p) { ++n;}
+    return n;
+}
+
+test();
--- a/js/src/tests/js1_8_5/regress/regress-620376-2.js
+++ b/js/src/tests/js1_8_5/regress/regress-620376-2.js
@ -0,0 +1,19 @@
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ * Contributors: Igor Bukanov
+ */
+
+function test() {
+    var p = Proxy.create({ enumerate: function() { return { get length() { throw 1; }}; }});
+
+    try {
+	for (i in p);
+	throw new Error("an exception should be thrown");
+    } catch (e) {
+	assertEq(e, 1);
+    }
+}
+
+test();
+reportCompare(0, 0, "ok");