| Index: src/d8.cc
|
| diff --git a/src/d8.cc b/src/d8.cc
|
| index 56a43ad2411e375f529beca5a62dd6c2df5469ac..ae86243fd224b711b3a4b6246743fe31d59ad712 100644
|
| --- a/src/d8.cc
|
| +++ b/src/d8.cc
|
| @@ -223,14 +223,28 @@ Handle<Value> Shell::Load(const Arguments& args) {
|
|
|
| Handle<Value> Shell::CreateExternalArray(const Arguments& args,
|
| ExternalArrayType type,
|
| - int element_size) {
|
| + size_t element_size) {
|
| if (args.Length() != 1) {
|
| return ThrowException(
|
| String::New("Array constructor needs one parameter."));
|
| }
|
| - int length = args[0]->Int32Value();
|
| - void* data = malloc(length * element_size);
|
| - memset(data, 0, length * element_size);
|
| + if (args[0]->Int32Value() < 0) {
|
| + return ThrowException(String::New("Array length must not be negative."));
|
| + }
|
| + size_t length = static_cast<size_t>(args[0]->Int32Value());
|
| + if (length > static_cast<size_t>(internal::ExternalArray::kMaxLength)) {
|
| + return ThrowException(String::New("Array length exceeds maximum length."));
|
| + }
|
| + size_t malloc_size = length * element_size;
|
| + // Check for overflow in the multiplication.
|
| + if (malloc_size < length || malloc_size < element_size) {
|
| + return ThrowException(String::New("Array size exceeds memory limit."));
|
| + }
|
| + void* data = malloc(malloc_size);
|
| + if (data == NULL) {
|
| + return ThrowException(String::New("Memory allocation failed."));
|
| + }
|
| + memset(data, 0, malloc_size);
|
| Handle<Object> array = Object::New();
|
| Persistent<Object> persistent_array = Persistent<Object>::New(array);
|
| persistent_array.MakeWeak(data, ExternalArrayWeakCallback);
|
|
|
Chromium Code Reviews
Issue 7268002:
Error checking for length parameter of external array constructors in shell (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge