[v8-dev] Issue 1927 in v8: ApiCheck in SetIndexedPropertiesToPixelData with large getImageData arguments

codesite-noreply Fri, 03 Feb 2012 02:02:13 -0800

Status: Accepted
Owner: [email protected]
Labels: Type-Bug Priority-Medium

New issue 1927 by [email protected]: ApiCheck inSetIndexedPropertiesToPixelData with large getImageData arguments

http://code.google.com/p/v8/issues/detail?id=1927

<script>
  var oCanvas = document.createElement("CANVAS");
  var oContext2d=oCanvas.getContext("2d");
  oContext2d.getImageData(0, 0, 1, 0x10000000);
</script>

void v8::Object::SetIndexedPropertiesToPixelData(uint8_t* data, int length){

  i::Isolate* isolate = Utils::OpenHandle(this)->GetIsolate();
  ON_BAILOUT(isolate, "v8::SetElementsToPixelData()", return);
  ENTER_V8(isolate);
  i::HandleScope scope(isolate);
  if (!ApiCheck(length <= i::ExternalPixelArray::kMaxLength,
                "v8::Object::SetIndexedPropertiesToPixelData()",
                "length exceeds max acceptable value")) {

Here, length is of course very large

Attachments:
        repro3.html  179 bytes

--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

[v8-dev] Issue 1927 in v8: ApiCheck in SetIndexedPropertiesToPixelData with large getImageData arguments

Reply via email to