Chromium Code Reviews Chromium Code Reviews
Issue 225983005:
Make TypedArray::New fucntions crash on wrong lengths. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge| Index: src/api.cc |
| diff --git a/src/api.cc b/src/api.cc |
| index 75c67e096af3a7655f150da19ebeaea65a1827de..89d16cbd7c69524f6dee57392a452d2f51cd40ee 100644 |
| --- a/src/api.cc |
| +++ b/src/api.cc |
| @@ -6075,6 +6075,7 @@ i::Handle<i::JSTypedArray> NewTypedArray( |
| ASSERT(byte_offset % sizeof(ElementType) == 0); |
| CHECK(length <= (std::numeric_limits<size_t>::max() / sizeof(ElementType))); |
| + CHECK(length <= static_cast<size_t>(i::Smi::kMaxValue)); |
|
Jakob Kummerow
2014/04/06 11:41:15
With the change below we should never hit this cas
Dmitry Lomov (no reviews)
2014/04/07 05:54:22
Exactly.
|
| size_t byte_length = length * sizeof(ElementType); |
| SetupArrayBufferView( |
| isolate, obj, buffer, byte_offset, byte_length); |
| @@ -6103,6 +6104,11 @@ i::Handle<i::JSTypedArray> NewTypedArray( |
| LOG_API(isolate, \ |
| "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)"); \ |
| ENTER_V8(isolate); \ |
| + if (!Utils::ApiCheck(length <= static_cast<size_t>(i::Smi::kMaxValue), \ |
| + "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)", \ |
| + "length exceeds max allowed value")) { \ |
| + return Local<Type##Array>(); \ |
|
Jakob Kummerow
2014/04/06 11:41:15
nit: indentation (2 spaces is enough)
Dmitry Lomov (no reviews)
2014/04/07 05:54:22
Done.
|
| + } \ |
| i::Handle<i::JSTypedArray> obj = \ |
| NewTypedArray<ctype, v8::kExternal##Type##Array, \ |
| i::EXTERNAL_##TYPE##_ELEMENTS>( \ |
