Disallow sequences with lengths exceeding max allocation supported.

third_party/WebKit/Source/bindings/core/v8/V8Binding.h

Index: third_party/WebKit/Source/bindings/core/v8/V8Binding.h
diff --git a/third_party/WebKit/Source/bindings/core/v8/V8Binding.h b/third_party/WebKit/Source/bindings/core/v8/V8Binding.h
index 00392a53b93cb201a180f18e83c76b28d4111796..39bb123b61389b3e7f784a5730ccc35f0ce78626 100644
--- a/third_party/WebKit/Source/bindings/core/v8/V8Binding.h
+++ b/third_party/WebKit/Source/bindings/core/v8/V8Binding.h
@@ -661,7 +661,13 @@ HeapVector<Member<T>> toMemberNativeArray(v8::Local<v8::Value> value,
     return HeapVector<Member<T>>();
   }
 
-  HeapVector<Member<T>> result;
+  using VectorType = HeapVector<Member<T>>;
+  if (length > VectorType::maxCapacity()) {
+    exceptionState.throwTypeError("Array length exceeds supported limit.");

[sof, 2017/01/27 14:05:33]

Throwing RangeError is an option, and would be consistent with what's done
elsewhere.

[Justin Novosad, 2017/01/30 23:10:48]

+1
The ES6 considers 2^32-1 to be the supported limit for array lengths:
http://www.ecma-international.org/ecma-262/6.0/#sec-array-len
I think implementations that have a supported limit that is different from that
should do that same thing as if the requested length were above 2^32-1, which is
to throw a RangeError exception.

[sof, 2017/01/31 21:01:43]

Thanks, better use RangeError, so let's. I don't it represents a limitation for
real use in these particular cases.

+    return VectorType();
+  }
+
+  VectorType result;
   result.reserveInitialCapacity(length);
   v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(v8Value);
   v8::TryCatch block(isolate);
@@ -669,7 +675,7 @@ HeapVector<Member<T>> toMemberNativeArray(v8::Local<v8::Value> value,
     v8::Local<v8::Value> element;
     if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {
       exceptionState.rethrowV8Exception(block.Exception());
-      return HeapVector<Member<T>>();
+      return VectorType();
     }
     if (V8TypeOf<T>::Type::hasInstance(element, isolate)) {
       v8::Local<v8::Object> elementObject =
@@ -677,7 +683,7 @@ HeapVector<Member<T>> toMemberNativeArray(v8::Local<v8::Value> value,
       result.uncheckedAppend(V8TypeOf<T>::Type::toImpl(elementObject));
     } else {
       exceptionState.throwTypeError("Invalid Array element type");
-      return HeapVector<Member<T>>();
+      return VectorType();
     }
   }
   return result;
@@ -699,7 +705,13 @@ HeapVector<Member<T>> toMemberNativeArray(v8::Local<v8::Value> value,
     return HeapVector<Member<T>>();
   }
 
-  HeapVector<Member<T>> result;
+  using VectorType = HeapVector<Member<T>>;
+  if (length > VectorType::maxCapacity()) {
+    exceptionState.throwTypeError("Array length exceeds supported limit.");
+    return VectorType();
+  }
+
+  VectorType result;
   result.reserveInitialCapacity(length);
   v8::Local<v8::Object> object = v8::Local<v8::Object>::Cast(v8Value);
   v8::TryCatch block(isolate);
@@ -707,7 +719,7 @@ HeapVector<Member<T>> toMemberNativeArray(v8::Local<v8::Value> value,
     v8::Local<v8::Value> element;
     if (!v8Call(object->Get(isolate->GetCurrentContext(), i), element, block)) {
       exceptionState.rethrowV8Exception(block.Exception());
-      return HeapVector<Member<T>>();
+      return VectorType();
     }
     if (V8TypeOf<T>::Type::hasInstance(element, isolate)) {
       v8::Local<v8::Object> elementObject =
@@ -715,7 +727,7 @@ HeapVector<Member<T>> toMemberNativeArray(v8::Local<v8::Value> value,
       result.uncheckedAppend(V8TypeOf<T>::Type::toImpl(elementObject));
     } else {
       exceptionState.throwTypeError("Invalid Array element type");
-      return HeapVector<Member<T>>();
+      return VectorType();
     }
   }
   return result;
@@ -741,7 +753,7 @@ VectorType toImplArray(v8::Local<v8::Value> value,
     return VectorType();
   }
 
-  if (length > WTF::kGenericMaxDirectMapped / sizeof(ValueType)) {
+  if (length > VectorType::maxCapacity()) {
     exceptionState.throwTypeError("Array length exceeds supported limit.");
     return VectorType();
   }
@@ -768,9 +780,15 @@ template <typename VectorType>
 VectorType toImplArray(const Vector<ScriptValue>& value,
                        v8::Isolate* isolate,
                        ExceptionState& exceptionState) {
+  using ValueType = typename VectorType::ValueType;
+  using TraitsType = NativeValueTraits<ValueType>;
+
+  if (value.size() > VectorType::maxCapacity()) {
+    exceptionState.throwTypeError("Array length exceeds supported limit.");
+    return VectorType();
+  }
+
   VectorType result;
-  typedef typename VectorType::ValueType ValueType;
-  typedef NativeValueTraits<ValueType> TraitsType;
   result.reserveInitialCapacity(value.size());
   for (unsigned i = 0; i < value.size(); ++i) {
     result.uncheckedAppend(
@@ -785,11 +803,16 @@ template <typename VectorType>
 VectorType toImplArguments(const v8::FunctionCallbackInfo<v8::Value>& info,
                            int startIndex,
                            ExceptionState& exceptionState) {
-  VectorType result;
-  typedef typename VectorType::ValueType ValueType;
-  typedef NativeValueTraits<ValueType> TraitsType;
+  using ValueType = typename VectorType::ValueType;
+  using TraitsType = NativeValueTraits<ValueType>;
+
   int length = info.Length();
+  VectorType result;
   if (startIndex < length) {
+    if (static_cast<size_t>(length - startIndex) > VectorType::maxCapacity()) {
+      exceptionState.throwTypeError("Array length exceeds supported limit.");
+      return VectorType();
+    }
     result.reserveInitialCapacity(length - startIndex);
     for (int i = startIndex; i < length; ++i) {
       result.uncheckedAppend(