Title: [231198] trunk/Source/_javascript_Core
- Revision
- 231198
- Author
- rmoris...@apple.com
- Date
- 2018-05-01 09:03:54 -0700 (Tue, 01 May 2018)
Log Message
Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
https://bugs.webkit.org/show_bug.cgi?id=184772
<rdar://problem/39146327>
Reviewed by Filip Pizlo.
Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
This patch now makes sure that the check correctly detects if there is an integer overflow.
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountWithAnyIndexingType):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (231197 => 231198)
--- trunk/Source/_javascript_Core/ChangeLog 2018-05-01 16:01:25 UTC (rev 231197)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-05-01 16:03:54 UTC (rev 231198)
@@ -1,5 +1,19 @@
2018-05-01 Robin Morisset <rmoris...@apple.com>
+ Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
+ https://bugs.webkit.org/show_bug.cgi?id=184772
+ <rdar://problem/39146327>
+
+ Reviewed by Filip Pizlo.
+
+ Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
+ This patch now makes sure that the check correctly detects if there is an integer overflow.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::unshiftCountWithAnyIndexingType):
+
+2018-05-01 Robin Morisset <rmoris...@apple.com>
+
Correctly detect string overflow when using the 'Function' constructor
https://bugs.webkit.org/show_bug.cgi?id=184883
<rdar://problem/36320331>
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (231197 => 231198)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-05-01 16:01:25 UTC (rev 231197)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-05-01 16:03:54 UTC (rev 231198)
@@ -1063,10 +1063,16 @@
return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm));
}
- if (oldLength + count > MAX_STORAGE_VECTOR_LENGTH)
+ Checked<unsigned, RecordOverflow> checkedLength(oldLength);
+ checkedLength += count;
+ unsigned newLength;
+ if (CheckedState::DidOverflow == checkedLength.safeGet(newLength)) {
+ throwOutOfMemoryError(exec, scope);
+ return true;
+ }
+ if (newLength > MAX_STORAGE_VECTOR_LENGTH)
return false;
-
- if (!ensureLength(vm, oldLength + count)) {
+ if (!ensureLength(vm, newLength)) {
throwOutOfMemoryError(exec, scope);
return true;
}
@@ -1110,10 +1116,16 @@
return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm));
}
- if (oldLength + count > MAX_STORAGE_VECTOR_LENGTH)
+ Checked<unsigned, RecordOverflow> checkedLength(oldLength);
+ checkedLength += count;
+ unsigned newLength;
+ if (CheckedState::DidOverflow == checkedLength.safeGet(newLength)) {
+ throwOutOfMemoryError(exec, scope);
+ return true;
+ }
+ if (newLength > MAX_STORAGE_VECTOR_LENGTH)
return false;
-
- if (!ensureLength(vm, oldLength + count)) {
+ if (!ensureLength(vm, newLength)) {
throwOutOfMemoryError(exec, scope);
return true;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes