Disallow sequences with lengths exceeding max allocation supported.

third_party/WebKit/Source/bindings/core/v8/V8Binding.h

 /*
 * Copyright (C) 2009 Google Inc. All rights reserved.
 * Copyright (C) 2012 Ericsson AB. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 * notice, this list of conditions and the following disclaimer.
@@ skipping 643 matching lines @@
   uint32_t length = 0;
   if (value->IsArray()) {
     length = v8::Local<v8::Array>::Cast(v8Value)->Length();
   } else if (!toV8Sequence(value, length, isolate, exceptionState)) {
     if (!exceptionState.hadException())
       exceptionState.throwTypeError(
           ExceptionMessages::notAnArrayTypeArgumentOrValue(argumentIndex));
     return HeapVector<Member<T>>();
   }
 
-  HeapVector<Member<T>> result;
+  using VectorType = HeapVector<Member<T>>;
+  if (length > VectorType::maxCapacity()) {
+    exceptionState.throwRangeError("Array length exceeds supported limit.");
+    return VectorType();
+  }
+
+  VectorType result;
   result.reserveInitialCapacity(length);
   v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(v8Value);
   v8::TryCatch block(isolate);
   for (uint32_t i = 0; i < length; ++i) {
     v8::Local<v8::Value> element;
     if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {
       exceptionState.rethrowV8Exception(block.Exception());
-      return HeapVector<Member<T>>();
+      return VectorType();
     }
     if (V8TypeOf<T>::Type::hasInstance(element, isolate)) {
       v8::Local<v8::Object> elementObject =
           v8::Local<v8::Object>::Cast(element);
       result.uncheckedAppend(V8TypeOf<T>::Type::toImpl(elementObject));
     } else {
       exceptionState.throwTypeError("Invalid Array element type");
-      return HeapVector<Member<T>>();
+      return VectorType();
     }
   }
   return result;
 }
 
 template <typename T>
 HeapVector<Member<T>> toMemberNativeArray(v8::Local<v8::Value> value,
                                           const String& propertyName,
                                           v8::Isolate* isolate,
                                           ExceptionState& exceptionState) {
   v8::Local<v8::Value> v8Value(v8::Local<v8::Value>::New(isolate, value));
   uint32_t length = 0;
   if (value->IsArray()) {
     length = v8::Local<v8::Array>::Cast(v8Value)->Length();
   } else if (!toV8Sequence(value, length, isolate, exceptionState)) {
     if (!exceptionState.hadException())
       exceptionState.throwTypeError(
           ExceptionMessages::notASequenceTypeProperty(propertyName));
     return HeapVector<Member<T>>();
   }
 
-  HeapVector<Member<T>> result;
+  using VectorType = HeapVector<Member<T>>;
+  if (length > VectorType::maxCapacity()) {
+    exceptionState.throwRangeError("Array length exceeds supported limit.");
+    return VectorType();
+  }
+
+  VectorType result;
   result.reserveInitialCapacity(length);
   v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(v8Value);
   v8::TryCatch block(isolate);
   for (uint32_t i = 0; i < length; ++i) {
     v8::Local<v8::Value> element;
     if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {
       exceptionState.rethrowV8Exception(block.Exception());
-      return HeapVector<Member<T>>();
+      return VectorType();
     }
     if (V8TypeOf<T>::Type::hasInstance(element, isolate)) {
       v8::Local<v8::Object> elementObject =
           v8::Local<v8::Object>::Cast(element);
       result.uncheckedAppend(V8TypeOf<T>::Type::toImpl(elementObject));
     } else {
       exceptionState.throwTypeError("Invalid Array element type");
-      return HeapVector<Member<T>>();
+      return VectorType();
     }
   }
   return result;
 }
 
 // Converts a JavaScript value to an array as per the Web IDL specification:
 // http://www.w3.org/TR/2012/CR-WebIDL-20120419/#es-array
 template <typename VectorType>
 VectorType toImplArray(v8::Local<v8::Value> value,
                        int argumentIndex,
                        v8::Isolate* isolate,
                        ExceptionState& exceptionState) {
   typedef typename VectorType::ValueType ValueType;
   typedef NativeValueTraits<ValueType> TraitsType;
 
   uint32_t length = 0;
   if (value->IsArray()) {
     length = v8::Local<v8::Array>::Cast(value)->Length();
   } else if (!toV8Sequence(value, length, isolate, exceptionState)) {
     if (!exceptionState.hadException())
       exceptionState.throwTypeError(
           ExceptionMessages::notAnArrayTypeArgumentOrValue(argumentIndex));
     return VectorType();
   }
 
-  if (length > WTF::kGenericMaxDirectMapped / sizeof(ValueType)) {
-    exceptionState.throwTypeError("Array length exceeds supported limit.");
+  if (length > VectorType::maxCapacity()) {
+    exceptionState.throwRangeError("Array length exceeds supported limit.");
     return VectorType();
   }
 
   VectorType result;
   result.reserveInitialCapacity(length);
   v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(value);
   v8::TryCatch block(isolate);
   for (uint32_t i = 0; i < length; ++i) {
     v8::Local<v8::Value> element;
     if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {
       exceptionState.rethrowV8Exception(block.Exception());
       return VectorType();
     }
     result.uncheckedAppend(
         TraitsType::nativeValue(isolate, element, exceptionState));
     if (exceptionState.hadException())
       return VectorType();
   }
   return result;
 }
 
 template <typename VectorType>
 VectorType toImplArray(const Vector<ScriptValue>& value,
                        v8::Isolate* isolate,
                        ExceptionState& exceptionState) {
+  using ValueType = typename VectorType::ValueType;
+  using TraitsType = NativeValueTraits<ValueType>;
+
+  if (value.size() > VectorType::maxCapacity()) {
+    exceptionState.throwRangeError("Array length exceeds supported limit.");
+    return VectorType();
+  }
+
   VectorType result;
-  typedef typename VectorType::ValueType ValueType;
-  typedef NativeValueTraits<ValueType> TraitsType;
   result.reserveInitialCapacity(value.size());
   for (unsigned i = 0; i < value.size(); ++i) {
     result.uncheckedAppend(
         TraitsType::nativeValue(isolate, value[i].v8Value(), exceptionState));
     if (exceptionState.hadException())
       return VectorType();
   }
   return result;
 }
 
 template <typename VectorType>
 VectorType toImplArguments(const v8::FunctionCallbackInfo<v8::Value>& info,
                            int startIndex,
                            ExceptionState& exceptionState) {
+  using ValueType = typename VectorType::ValueType;
+  using TraitsType = NativeValueTraits<ValueType>;
+
+  int length = info.Length();
   VectorType result;
-  typedef typename VectorType::ValueType ValueType;
-  typedef NativeValueTraits<ValueType> TraitsType;
-  int length = info.Length();
   if (startIndex < length) {
+    if (static_cast<size_t>(length - startIndex) > VectorType::maxCapacity()) {
+      exceptionState.throwRangeError("Array length exceeds supported limit.");
+      return VectorType();
+    }
     result.reserveInitialCapacity(length - startIndex);
     for (int i = startIndex; i < length; ++i) {
       result.uncheckedAppend(
           TraitsType::nativeValue(info.GetIsolate(), info[i], exceptionState));
       if (exceptionState.hadException())
         return VectorType();
     }
   }
   return result;
 }
@@ skipping 335 matching lines @@
 // If the argument isn't an object, this will crash.
 CORE_EXPORT v8::Local<v8::Value> freezeV8Object(v8::Local<v8::Value>,
                                                 v8::Isolate*);
 
 CORE_EXPORT v8::Local<v8::Value> fromJSONString(v8::Isolate*,
                                                 const String& stringifiedJSON,
                                                 ExceptionState&);
 }  // namespace blink
 
 #endif  // V8Binding_h