Error checking for length parameter of external array constructors in shell

samples/shell.cc

Index: samples/shell.cc
diff --git a/samples/shell.cc b/samples/shell.cc
index 950370adaa80fda9bd7896a41a0c3f32e7e69eaa..15c1a5ad73dfa02be22f8d7c168328678d30cc21 100644
--- a/samples/shell.cc
+++ b/samples/shell.cc
@@ -497,14 +497,39 @@ void ExternalArrayWeakCallback(v8::Persistent<v8::Value> object, void* data) {
 
 v8::Handle<v8::Value> CreateExternalArray(const v8::Arguments& args,
                                           v8::ExternalArrayType type,
-                                          int element_size) {
+                                          size_t element_size) {
+  ASSERT(element_size == 1 || element_size == 2 || element_size == 4 ||
+         element_size == 8);
   if (args.Length() != 1) {
     return v8::ThrowException(
         v8::String::New("Array constructor needs one parameter."));
   }
-  int length = args[0]->Int32Value();
-  void* data = malloc(length * element_size);
-  memset(data, 0, length * element_size);
+  size_t length = 0;
+  if (args[0]->IsUint32()) {
+    length = args[0]->Uint32Value();
+  } else if (args[0]->IsNumber()) {
+    double raw_length = args[0]->NumberValue();
+    if (raw_length < 0) {
+      return v8::ThrowException(
+          v8::String::New("Array length must not be negative."));
+    }
+    if (raw_length > v8::internal::ExternalArray::kMaxLength) {
+      return v8::ThrowException(
+          v8::String::New("Array length exceeds maximum length."));
+    }
+    length = static_cast<size_t>(raw_length);
+  } else {
+    return v8::ThrowException(
+        v8::String::New("Array length must be a number."));
+  }
+  if (length > static_cast<size_t>(v8::internal::ExternalArray::kMaxLength)) {
+    return v8::ThrowException(
+        v8::String::New("Array length exceeds maximum length."));
+  }
+  void* data = calloc(length, element_size);
+  if (data == NULL) {
+    return v8::ThrowException(v8::String::New("Memory allocation failed."));
+  }
   v8::Handle<v8::Object> array = v8::Object::New();
   v8::Persistent<v8::Object> persistent_array =
       v8::Persistent<v8::Object>::New(array);