Reviewers: rossberg,
Message:
Embarassing...
Description:
Range checking bug in typed array constructor.
[email protected]
Please review this at https://codereview.chromium.org/14850011/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/typedarray.js
M test/mjsunit/harmony/typedarrays.js
Index: src/typedarray.js
diff --git a/src/typedarray.js b/src/typedarray.js
index
591060544a041009c6ddd369778fcc382896ac32..e105afc38e54799c8112320949232a008c835848
100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -110,7 +110,7 @@ function CreateTypedArrayConstructor(name, elementSize,
arrayId, constructor) {
var newLength = TO_POSITIVE_INTEGER(length);
newByteLength = newLength * elementSize;
}
- if (newByteLength > bufferByteLength) {
+ if (offset + newByteLength > bufferByteLength) {
throw MakeRangeError("invalid_typed_array_length");
}
%TypedArrayInitialize(obj, arrayId, buffer, offset, newByteLength);
Index: test/mjsunit/harmony/typedarrays.js
diff --git a/test/mjsunit/harmony/typedarrays.js
b/test/mjsunit/harmony/typedarrays.js
index
c868d114462f7dae8bdd2419dc76dd65699b3a9a..21c6054072a8f4875af75c9b34120133ff369285
100644
--- a/test/mjsunit/harmony/typedarrays.js
+++ b/test/mjsunit/harmony/typedarrays.js
@@ -192,6 +192,9 @@ function TestTypedArray(proto, elementSize,
typicalElement) {
}
assertThrows(function () { new proto(ab, 256*elementSize); },
RangeError);
+ assertThrows(
+ function () { new proto(ab, 128*elementSize, 192); },
+ RangeError);
if (elementSize !== 1) {
assertThrows(function() { new proto(ab, 128*elementSize - 1, 10); },
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
