wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 970285 -- Detect negative lengths supplied to unsized array constructor r=shu

Browse Source
This commit is contained in:
Nicholas D. Matsakis 2014-02-12 18:49:46 -05:00
parent 0fe7059394
commit 5ea9b4cfa5
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
js/src/builtin/TypedObject.cpp
View File

@ -2427,6 +2427,11 @@ TypedObject::constructUnsized(JSContext *cx, unsigned int argc, Value *vp)
// Length constructor.
if (args[0].isInt32()) {
int32_t length = args[0].toInt32();
if (length < 0) {
JS_ReportErrorNumber(cx, js_GetErrorMessage,
nullptr, JSMSG_TYPEDOBJECT_BAD_ARGS);
return nullptr;
}
Rooted<TypedObject*> obj(cx, createZeroed(cx, callee, length));
if (!obj)
return false;

11
js/src/jit-test/tests/TypedObject/bug970285.js Normal file
View File

@ -0,0 +1,11 @@
// |jit-test| error:TypeError
if (!this.hasOwnProperty("TypedObject"))
throw new TypeError();
// Test that we detect invalid lengths supplied to unsized array
// constructor. Public domain.
var AA = TypedObject.uint8.array(2147483647).array();
var aa = new AA(-1);