Runtime CHECK for overflow in NewTypedArray.

R=ulan@chromium.org Review URL: https://codereview.chromium.org/62713006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17739 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Runtime CHECK for overflow in NewTypedArray.
R=ulan@chromium.org Review URL: https://codereview.chromium.org/62713006 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17739 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
230d5bf3 · dslomov@chromium.org · aefa2a21 · 230d5bf3
Commit 230d5bf3 authored Nov 14, 2013 by dslomov@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

api.cc src/api.cc +3 -1

No files found.
--- a/src/api.cc
+++ b/src/api.cc
@@ -6132,8 +6132,10 @@ i::Handle<i::JSTypedArray> NewTypedArray(
  ASSERT(byte_offset % sizeof(ElementType) == 0);
+  CHECK(length <= (std::numeric_limits<size_t>::max() / sizeof(ElementType)));
+  size_t byte_length = length * sizeof(ElementType);
  SetupArrayBufferView(
-      isolate, obj, buffer, byte_offset, length * sizeof(ElementType));
+      isolate, obj, buffer, byte_offset, byte_length);
  i::Handle<i::Object> length_object =
    isolate->factory()->NewNumberFromSize(length);