Comment #2 on issue 2931 by [email protected]: `new TypedArray(n)` not
ArrayBuffer tamper proof
http://code.google.com/p/v8/issues/detail?id=2931
Forgot to mention, the fix seems to be pretty trivial:
diff --git a/src/typedarray.js b/src/typedarray.js
index da12ccf..0f54db5 100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -31,6 +31,7 @@
// in runtime.js:
// var $Array = global.Array;
+var $ArrayBuffer = global.ArrayBuffer;
// --------------- Typed Arrays ---------------------
@@ -70,7 +71,7 @@ function CreateTypedArrayConstructor(name, elementSize,
arrayId, constructor) {
function ConstructByLength(obj, length) {
var l = ToPositiveInteger(length, "invalid_typed_array_length");
var byteLength = l * elementSize;
- var buffer = new global.ArrayBuffer(byteLength);
+ var buffer = new $ArrayBuffer(byteLength);
%TypedArrayInitialize(obj, arrayId, buffer, 0, byteLength);
}
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
