Commit 4edcc860 authored by Simon Zünd's avatar Simon Zünd Committed by Commit Bot

[heap] Throw OOM when allocating FixedDoubleArrays with negative length

Bug: chromium:938251
Change-Id: I336765c894cc78ca822904a32356db43feadea07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1505312Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60051}
parent 43b92772
...@@ -497,9 +497,8 @@ Handle<ObjectBoilerplateDescription> Factory::NewObjectBoilerplateDescription( ...@@ -497,9 +497,8 @@ Handle<ObjectBoilerplateDescription> Factory::NewObjectBoilerplateDescription(
Handle<FixedArrayBase> Factory::NewFixedDoubleArray(int length, Handle<FixedArrayBase> Factory::NewFixedDoubleArray(int length,
PretenureFlag pretenure) { PretenureFlag pretenure) {
DCHECK_LE(0, length);
if (length == 0) return empty_fixed_array(); if (length == 0) return empty_fixed_array();
if (length > FixedDoubleArray::kMaxLength) { if (length < 0 || length > FixedDoubleArray::kMaxLength) {
isolate()->heap()->FatalProcessOutOfMemory("invalid array length"); isolate()->heap()->FatalProcessOutOfMemory("invalid array length");
} }
int size = FixedDoubleArray::SizeFor(length); int size = FixedDoubleArray::SizeFor(length);
......
...@@ -190,6 +190,7 @@ v8_source_set("unittests_sources") { ...@@ -190,6 +190,7 @@ v8_source_set("unittests_sources") {
"parser/ast-value-unittest.cc", "parser/ast-value-unittest.cc",
"parser/preparser-unittest.cc", "parser/preparser-unittest.cc",
"register-configuration-unittest.cc", "register-configuration-unittest.cc",
"regress/regress-crbug-938251-unittest.cc",
"run-all-unittests.cc", "run-all-unittests.cc",
"source-position-table-unittest.cc", "source-position-table-unittest.cc",
"strings-storage-unittest.cc", "strings-storage-unittest.cc",
......
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "src/heap/factory.h"
#include "src/isolate.h"
#include "test/unittests/test-utils.h"
namespace v8 {
namespace internal {
using NewFixedDoubleArrayTest = TestWithIsolateAndZone;
TEST_F(NewFixedDoubleArrayTest, ThrowOnNegativeLength) {
ASSERT_DEATH_IF_SUPPORTED({ factory()->NewFixedDoubleArray(-1); },
"Fatal javascript OOM in invalid array length");
}
} // namespace internal
} // namespace v8
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment