Revision: 20525
Author: [email protected]
Date: Mon Apr 7 05:54:32 2014 UTC
Log: Make TypedArray::New fucntions crash on wrong lengths.
[email protected]
BUG=359802
LOG=N
Review URL: https://codereview.chromium.org/225983005
http://code.google.com/p/v8/source/detail?r=20525
Modified:
/branches/bleeding_edge/src/api.cc
=======================================
--- /branches/bleeding_edge/src/api.cc Fri Apr 4 16:05:29 2014 UTC
+++ /branches/bleeding_edge/src/api.cc Mon Apr 7 05:54:32 2014 UTC
@@ -6075,6 +6075,7 @@
ASSERT(byte_offset % sizeof(ElementType) == 0);
CHECK(length <= (std::numeric_limits<size_t>::max() /
sizeof(ElementType)));
+ CHECK(length <= static_cast<size_t>(i::Smi::kMaxValue));
size_t byte_length = length * sizeof(ElementType);
SetupArrayBufferView(
isolate, obj, buffer, byte_offset, byte_length);
@@ -6103,6 +6104,11 @@
LOG_API(isolate, \
"v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t,
size_t)"); \
ENTER_V8(isolate); \
+ if (!Utils::ApiCheck(length <=
static_cast<size_t>(i::Smi::kMaxValue), \
+ "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t,
size_t)", \
+ "length exceeds max allowed value"))
{ \
+ return
Local<Type##Array>(); \
+
} \
i::Handle<i::JSTypedArray> obj
= \
NewTypedArray<ctype,
v8::kExternal##Type##Array, \
i::EXTERNAL_##TYPE##_ELEMENTS>( \
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
