[v8-dev] Version 3.24.35.33 (merged r20525) (issue 241843002)

[dslomov]

Reviewers: Michael Achenbach,

Description:
Version 3.24.35.33 (merged r20525)
Make TypedArray::New fucntions crash on wrong lengths.

BUG=359802
LOG=N
TBR=machenb...@chromium.org

Please review this at https://codereview.chromium.org/241843002/

SVN Base: https://v8.googlecode.com/svn/branches/3.24

Affected files (+7, -1 lines):
  M src/api.cc
  M src/version.cc


Index: src/api.cc
diff --git a/src/api.cc b/src/api.cc
index  
54a3e9145dd61243c74cb8fd5e1a77f657289235..872dcc6a68022144793bb161065014727c1cad2f  
100644
--- a/src/api.cc
+++ b/src/api.cc
@@ -5902,6 +5902,7 @@ i::Handle<i::JSTypedArray> NewTypedArray(
   ASSERT(byte_offset % sizeof(ElementType) == 0);

   CHECK(length <= (std::numeric_limits<size_t>::max() /  
sizeof(ElementType)));
+  CHECK(length <= static_cast<size_t>(i::Smi::kMaxValue));
   size_t byte_length = length * sizeof(ElementType);
   SetupArrayBufferView(
       isolate, obj, buffer, byte_offset, byte_length);
@@ -5928,6 +5929,11 @@ i::Handle<i::JSTypedArray> NewTypedArray(
      
LOG_API(isolate,                                                         \
         "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t,  
size_t)");     \
      
ENTER_V8(isolate);                                                       \
+    if (!Utils::ApiCheck(length <=  
static_cast<size_t>(i::Smi::kMaxValue),   \
+            "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t,  
size_t)",  \
+            "length exceeds max allowed value"))  
{                           \
+      return  
Local<Type##Array>();                                          \
+     
}                                                                        \
     i::Handle<i::JSTypedArray> obj  
=                                         \
         NewTypedArray<ctype,  
v8::kExternal##Type##Array,                     \
                        
i::EXTERNAL_##TYPE##_ELEMENTS>(                        \
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index  
bb2cf2816255b23d5d82545ff655990d54320523..c4b987a5ac1aff4d7ebea12061afef69d18c3992  
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     24
 #define BUILD_NUMBER      35
-#define PATCH_LEVEL       32
+#define PATCH_LEVEL       33
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.