Abort recording on invalid string indexes for JSOP_GETELEM (bug 452713, r=brendan).

2024-09-13 09:24:08 -07:00 · 2008-08-29 13:05:41 -07:00 · 2008-08-29 13:05:41 -07:00 · f10bd19c8e
commit f10bd19c8e
parent f35adba372
1 changed files with 6 additions and 0 deletions
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@ -4029,6 +4029,12 @@ TraceRecorder::record_JSOP_GETELEM()
    jsval& l = stackval(-2);

    if (JSVAL_IS_STRING(l) && JSVAL_IS_INT(r)) {
+        int i;
+
+        i = JSVAL_TO_INT(r);
+        if ((size_t)i >= JSSTRING_LENGTH(JSVAL_TO_STRING(l)))
+            ABORT_TRACE("Invalid string index in JSOP_GETELEM");
+
        LIns* args[] = { f2i(get(&r)), get(&l), cx_ins };
        LIns* unitstr_ins = lir->insCall(F_String_getelem, args);
        guard(false, lir->ins_eq0(unitstr_ins), MISMATCH_EXIT);