Title: [88506] trunk/Source/_javascript_Core
- Revision
- 88506
- Author
- [email protected]
- Date
- 2011-06-09 17:30:21 -0700 (Thu, 09 Jun 2011)
Log Message
Bug 62405 - Fix integer overflow in Array.prototype.push
Reviewed by Geoff Garen.
Fix geoff's review comments re static_cast.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncPush):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (88505 => 88506)
--- trunk/Source/_javascript_Core/ChangeLog 2011-06-10 00:03:18 UTC (rev 88505)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-06-10 00:30:21 UTC (rev 88506)
@@ -1,3 +1,14 @@
+2011-06-09 Gavin Barraclough <[email protected]>
+
+ Reviewed by Geoff Garen.
+
+ Bug 62405 - Fix integer overflow in Array.prototype.push
+
+ Fix geoff's review comments re static_cast.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncPush):
+
2011-06-09 Geoffrey Garen <[email protected]>
Reviewed by Oliver Hunt.
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (88505 => 88506)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2011-06-10 00:03:18 UTC (rev 88505)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2011-06-10 00:30:21 UTC (rev 88506)
@@ -407,11 +407,11 @@
thisObj->put(exec, length + n, exec->argument(n));
else {
PutPropertySlot slot;
- Identifier propertyName(exec, JSValue((int64_t)length + (int64_t)n).toString(exec));
+ Identifier propertyName(exec, JSValue(static_cast<int64_t>(length) + static_cast<int64_t>(n)).toString(exec));
thisObj->put(exec, propertyName, exec->argument(n), slot);
}
}
- JSValue newLength = jsNumber((int64_t)length + (int64_t)exec->argumentCount());
+ JSValue newLength(static_cast<int64_t>(length) + static_cast<int64_t>(exec->argumentCount()));
putProperty(exec, thisObj, exec->propertyNames().length, newLength);
return JSValue::encode(newLength);
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
