[v8-dev] [v8] r8823 committed - Fix out-of-bounds access in fetching propery names...

[codesite-noreply]

Revision: 8823
Author:   da...@chromium.org
Date:     Thu Aug  4 02:23:25 2011
Log:      Fix out-of-bounds access in fetching propery names
R=vego...@chromium.org
BUG=chromium:91517
TEST=none

Review URL: http://codereview.chromium.org/7565009
http://code.google.com/p/v8/source/detail?r=8823

Modified:
 /branches/bleeding_edge/src/objects.cc
 /branches/bleeding_edge/src/objects.h
 /branches/bleeding_edge/src/runtime.cc

=======================================
--- /branches/bleeding_edge/src/objects.cc      Wed Aug  3 05:48:30 2011
+++ /branches/bleeding_edge/src/objects.cc      Thu Aug  4 02:23:25 2011
@@ -9537,7 +9537,9 @@
     }
     ASSERT(storage->length() >= index);
   } else {
-    property_dictionary()->CopyKeysTo(storage, StringDictionary::UNSORTED);
+    property_dictionary()->CopyKeysTo(storage,
+                                      index,
+                                      StringDictionary::UNSORTED);
   }
 }

@@ -10286,6 +10288,7 @@

 template void Dictionary<StringDictionaryShape, String*>::CopyKeysTo(
     FixedArray*,
+    int,
     Dictionary<StringDictionaryShape, String*>::SortMode);

 template int
@@ -11415,11 +11418,11 @@
 template<typename Shape, typename Key>
 void Dictionary<Shape, Key>::CopyKeysTo(
     FixedArray* storage,
+    int index,
     typename Dictionary<Shape, Key>::SortMode sort_mode) {
   ASSERT(storage->length() >= NumberOfElementsFilterAttributes(
       static_cast<PropertyAttributes>(NONE)));
   int capacity = HashTable<Shape, Key>::Capacity();
-  int index = 0;
   for (int i = 0; i < capacity; i++) {
     Object* k = HashTable<Shape, Key>::KeyAt(i);
     if (HashTable<Shape, Key>::IsKey(k)) {
=======================================
--- /branches/bleeding_edge/src/objects.h       Wed Aug  3 05:48:30 2011
+++ /branches/bleeding_edge/src/objects.h       Thu Aug  4 02:23:25 2011
@@ -2810,7 +2810,7 @@
                   PropertyAttributes filter,
                   SortMode sort_mode);
   // Fill in details for properties into storage.
-  void CopyKeysTo(FixedArray* storage, SortMode sort_mode);
+  void CopyKeysTo(FixedArray* storage, int index, SortMode sort_mode);

   // Accessors for next enumeration index.
   void SetNextEnumerationIndex(int index) {
=======================================
--- /branches/bleeding_edge/src/runtime.cc      Wed Aug  3 08:42:25 2011
+++ /branches/bleeding_edge/src/runtime.cc      Thu Aug  4 02:23:25 2011
@@ -4584,9 +4584,10 @@
   // Get the property names.
   jsproto = obj;
   int proto_with_hidden_properties = 0;
+  int next_copy_index = 0;
   for (int i = 0; i < length; i++) {
-    jsproto->GetLocalPropertyNames(*names,
-                                   i == 0 ? 0 : local_property_count[i -  
1]);
+    jsproto->GetLocalPropertyNames(*names, next_copy_index);
+    next_copy_index += local_property_count[i];
     if (jsproto->HasHiddenProperties()) {
       proto_with_hidden_properties++;
     }

--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev