Fix out-of-bounds access in fetching propery names

R=vegorov@chromium.org BUG=chromium:91517 TEST=none Review URL: http://codereview.chromium.org/7565009 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8823 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix out-of-bounds access in fetching propery names
R=vegorov@chromium.org BUG=chromium:91517 TEST=none Review URL: http://codereview.chromium.org/7565009 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8823 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
9aa75ed9 · danno@chromium.org · 767debf7 · 9aa75ed9 · 9aa75ed9 · 9aa75ed9
Commit 9aa75ed9 authored Aug 04, 2011 by danno@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 5 deletions

objects.cc src/objects.cc +5 -2

objects.h src/objects.h +1 -1

runtime.cc src/runtime.cc +3 -2

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -9537,7 +9537,9 @@ void JSObject::GetLocalPropertyNames(FixedArray* storage, int index) {
    }
    ASSERT(storage->length() >= index);
  } else {
-    property_dictionary()->CopyKeysTo(storage, StringDictionary::UNSORTED);
+    property_dictionary()->CopyKeysTo(storage,
+                                      index,
+                                      StringDictionary::UNSORTED);
  }
 }
@@ -10286,6 +10288,7 @@ template MaybeObject* Dictionary<NumberDictionaryShape, uint32_t>::Shrink(
 template void Dictionary<StringDictionaryShape, String*>::CopyKeysTo(
    FixedArray*,
+    int,
    Dictionary<StringDictionaryShape, String*>::SortMode);
 template int
@@ -11415,11 +11418,11 @@ void StringDictionary::CopyEnumKeysTo(FixedArray* storage,
 template<typename Shape, typename Key>
 void Dictionary<Shape, Key>::CopyKeysTo(
    FixedArray* storage,
+    int index,
    typename Dictionary<Shape, Key>::SortMode sort_mode) {
  ASSERT(storage->length() >= NumberOfElementsFilterAttributes(
      static_cast<PropertyAttributes>(NONE)));
  int capacity = HashTable<Shape, Key>::Capacity();
-  int index = 0;
  for (int i = 0; i < capacity; i++) {
    Object* k = HashTable<Shape, Key>::KeyAt(i);
    if (HashTable<Shape, Key>::IsKey(k)) {

--- a/src/objects.h
+++ b/src/objects.h
@@ -2810,7 +2810,7 @@ class Dictionary: public HashTable<Shape, Key> {
                  PropertyAttributes filter,
                  SortMode sort_mode);
  // Fill in details for properties into storage.
-  void CopyKeysTo(FixedArray* storage, SortMode sort_mode);
+  void CopyKeysTo(FixedArray* storage, int index, SortMode sort_mode);
  // Accessors for next enumeration index.
  void SetNextEnumerationIndex(int index) {

--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -4584,9 +4584,10 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_GetLocalPropertyNames) {
  // Get the property names.
  jsproto = obj;
  int proto_with_hidden_properties = 0;
+  int next_copy_index = 0;
  for (int i = 0; i < length; i++) {
-    jsproto->GetLocalPropertyNames(*names,
+    jsproto->GetLocalPropertyNames(*names, next_copy_index);
-                                   i == 0 ? 0 : local_property_count[i - 1]);
+    next_copy_index += local_property_count[i];
    if (jsproto->HasHiddenProperties()) {
      proto_with_hidden_properties++;
    }