Range checking bug in typed array constructor.

R=rossberg@chromium.org Review URL: https://codereview.chromium.org/14850011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14519 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Range checking bug in typed array constructor.
R=rossberg@chromium.org Review URL: https://codereview.chromium.org/14850011 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14519 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
343bf339 · dslomov@chromium.org · 2751eeb3 · 343bf339 · 343bf339
Commit 343bf339 authored May 02, 2013 by dslomov@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

typedarray.js src/typedarray.js +1 -1

typedarrays.js test/mjsunit/harmony/typedarrays.js +3 -0

No files found.
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -110,7 +110,7 @@ function CreateTypedArrayConstructor(name, elementSize, arrayId, constructor) {
      var newLength = TO_POSITIVE_INTEGER(length);
      newByteLength = newLength * elementSize;
    }
-    if (newByteLength > bufferByteLength) {
+    if (offset + newByteLength > bufferByteLength) {
      throw MakeRangeError("invalid_typed_array_length");
    }
    %TypedArrayInitialize(obj, arrayId, buffer, offset, newByteLength);

--- a/test/mjsunit/harmony/typedarrays.js
+++ b/test/mjsunit/harmony/typedarrays.js
@@ -192,6 +192,9 @@ function TestTypedArray(proto, elementSize, typicalElement) {
  }

  assertThrows(function () { new proto(ab, 256*elementSize); }, RangeError);
+  assertThrows(
+      function () { new proto(ab, 128*elementSize, 192); },
+      RangeError);

  if (elementSize !== 1) {
    assertThrows(function() { new proto(ab, 128*elementSize - 1, 10); },