Reviewers: Jakob,
Message:
PTAL
Description:
Make TypedArray::New fucntions crash on wrong lengths.
[email protected]
BUG=359802
LOG=N
Please review this at https://codereview.chromium.org/225983005/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+6, -0 lines):
M src/api.cc
Index: src/api.cc
diff --git a/src/api.cc b/src/api.cc
index
75c67e096af3a7655f150da19ebeaea65a1827de..89d16cbd7c69524f6dee57392a452d2f51cd40ee
100644
--- a/src/api.cc
+++ b/src/api.cc
@@ -6075,6 +6075,7 @@ i::Handle<i::JSTypedArray> NewTypedArray(
ASSERT(byte_offset % sizeof(ElementType) == 0);
CHECK(length <= (std::numeric_limits<size_t>::max() /
sizeof(ElementType)));
+ CHECK(length <= static_cast<size_t>(i::Smi::kMaxValue));
size_t byte_length = length * sizeof(ElementType);
SetupArrayBufferView(
isolate, obj, buffer, byte_offset, byte_length);
@@ -6103,6 +6104,11 @@ i::Handle<i::JSTypedArray> NewTypedArray(
LOG_API(isolate, \
"v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t,
size_t)"); \
ENTER_V8(isolate); \
+ if (!Utils::ApiCheck(length <=
static_cast<size_t>(i::Smi::kMaxValue), \
+ "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t,
size_t)", \
+ "length exceeds max allowed value"))
{ \
+ return
Local<Type##Array>(); \
+
} \
i::Handle<i::JSTypedArray> obj
= \
NewTypedArray<ctype,
v8::kExternal##Type##Array, \
i::EXTERNAL_##TYPE##_ELEMENTS>( \
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
