[v8-dev] Check the offset argument of TypedArray.set for fitting into Smi. (issue 145623009)

Tue, 04 Feb 2014 01:37:40 -0800 

Reviewers: Jakob,

Description:
Check the offset argument of TypedArray.set for fitting into Smi.

[email protected]
BUG=340125
LOG=Y

Please review this at https://codereview.chromium.org/145623009/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+8, -10 lines):
  M src/typedarray.js
  A + test/mjsunit/regress/regress-340125.js


Index: src/typedarray.js
diff --git a/src/typedarray.js b/src/typedarray.js
index 21dd9c82d14f02d1d265f87604386e57cd09f890..c0f07eda85623defe627fa5f7d834bfb5f2ba6e5 100644 
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -243,6 +243,10 @@ function TypedArraySet(obj, offset) {
   if (intOffset < 0) {
     throw MakeTypeError("typed_array_set_negative_offset");
   }
+
+  if (intOffset > %MaxSmi()) {
+    throw MakeRangeError("typed_array_set_source_too_large");
+  }
   switch (%TypedArraySetFastCases(this, obj, intOffset)) {
     // These numbers should be synchronized with runtime.cc.
     case 0: // TYPED_ARRAY_SET_TYPED_ARRAY_SAME_TYPE
Index: test/mjsunit/regress/regress-340125.js
diff --git a/test/mjsunit/regress/regress-336820.js b/test/mjsunit/regress/regress-340125.js 
similarity index 89%
copy from test/mjsunit/regress/regress-336820.js
copy to test/mjsunit/regress/regress-340125.js
index 9b466296043b858df75b7f1fe9f959b66abea969..a3e40a8d5ac4cc381dd70f83e32914ddbbc972f1 100644 
--- a/test/mjsunit/regress/regress-336820.js
+++ b/test/mjsunit/regress/regress-340125.js
@@ -24,13 +24,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-assertThrows((function() {
-  s = "Hello World!\n";
-  while (true) {
-    x = new Array();
-    x[0] = s;
-    x[1000] = s;
-    x[1000000] = s;
-    s = x.join("::");
-  }}), RangeError);
+//
+var a = new Int8Array(2);
+var b = a.subarray(2, 4);
+assertThrows(function () { a.set(b, 1e10); }, RangeError);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to