Commit 163ad9ff authored by dslomov@chromium.org's avatar dslomov@chromium.org

Make TypedArray::New fucntions crash on wrong lengths.

R=jkummerow@chromium.org
BUG=359802
LOG=N

Review URL: https://codereview.chromium.org/225983005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20525 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 8e9eebeb
...@@ -6075,6 +6075,7 @@ i::Handle<i::JSTypedArray> NewTypedArray( ...@@ -6075,6 +6075,7 @@ i::Handle<i::JSTypedArray> NewTypedArray(
ASSERT(byte_offset % sizeof(ElementType) == 0); ASSERT(byte_offset % sizeof(ElementType) == 0);
CHECK(length <= (std::numeric_limits<size_t>::max() / sizeof(ElementType))); CHECK(length <= (std::numeric_limits<size_t>::max() / sizeof(ElementType)));
CHECK(length <= static_cast<size_t>(i::Smi::kMaxValue));
size_t byte_length = length * sizeof(ElementType); size_t byte_length = length * sizeof(ElementType);
SetupArrayBufferView( SetupArrayBufferView(
isolate, obj, buffer, byte_offset, byte_length); isolate, obj, buffer, byte_offset, byte_length);
...@@ -6103,6 +6104,11 @@ i::Handle<i::JSTypedArray> NewTypedArray( ...@@ -6103,6 +6104,11 @@ i::Handle<i::JSTypedArray> NewTypedArray(
LOG_API(isolate, \ LOG_API(isolate, \
"v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)"); \ "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)"); \
ENTER_V8(isolate); \ ENTER_V8(isolate); \
if (!Utils::ApiCheck(length <= static_cast<size_t>(i::Smi::kMaxValue), \
"v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)", \
"length exceeds max allowed value")) { \
return Local<Type##Array>(); \
} \
i::Handle<i::JSTypedArray> obj = \ i::Handle<i::JSTypedArray> obj = \
NewTypedArray<ctype, v8::kExternal##Type##Array, \ NewTypedArray<ctype, v8::kExternal##Type##Array, \
i::EXTERNAL_##TYPE##_ELEMENTS>( \ i::EXTERNAL_##TYPE##_ELEMENTS>( \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment