Commit 6f6ca730 authored by Daniel Clifford's avatar Daniel Clifford Committed by Commit Bot

Fix OOB access in Array.prototype.slice

Bug: chromium:791345
Change-Id: I81e5e23e2ddfc5e78a4ca922ceffda28516277c3
Reviewed-on: https://chromium-review.googlesource.com/806097Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49871}
parent f8834852
...@@ -1194,7 +1194,7 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler { ...@@ -1194,7 +1194,7 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler {
Node* unmapped_elements_length = Node* unmapped_elements_length =
LoadFixedArrayBaseLength(unmapped_elements); LoadFixedArrayBaseLength(unmapped_elements);
GotoIf(SmiGreaterThan(end, unmapped_elements_length), slow); GotoIf(SmiAbove(end, unmapped_elements_length), slow);
Node* array_map = LoadJSArrayElementsMap(HOLEY_ELEMENTS, native_context); Node* array_map = LoadJSArrayElementsMap(HOLEY_ELEMENTS, native_context);
result.Bind(AllocateJSArray(HOLEY_ELEMENTS, array_map, count, count, result.Bind(AllocateJSArray(HOLEY_ELEMENTS, array_map, count, count,
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function(a) {
var len = 0x80000000;
arguments.length = len;
Array.prototype.slice.call(arguments, len - 1, len);
}('a'));
(function(a) {
var len = 0x40000000;
arguments.length = len;
Array.prototype.slice.call(arguments, len - 1, len);
}('a'));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment