[api] Fix possible OOB when using SetAndGrow

R=jkummerow@chromium.org BUG=chromium:630217 Review-Url: https://codereview.chromium.org/2201023004 Cr-Commit-Position: refs/heads/master@{#38287}

[api] Fix possible OOB when using SetAndGrow
R=jkummerow@chromium.org BUG=chromium:630217 Review-Url: https://codereview.chromium.org/2201023004 Cr-Commit-Position: refs/heads/master@{#38287}
bdb4e2cb · cbruni · Commit bot · f813494f · bdb4e2cb
Commit bdb4e2cb authored Aug 03, 2016 by cbruni Committed by Commit bot Aug 03, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

objects.cc src/objects.cc +1 -1

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -9782,7 +9782,7 @@ Handle<FixedArray> FixedArray::SetAndGrow(Handle<FixedArray> array, int index,
  int capacity = array->length();
  do {
    capacity = JSObject::NewElementsCapacity(capacity);
-  } while (capacity < index);
+  } while (capacity <= index);
  Handle<FixedArray> new_array =
      array->GetIsolate()->factory()->NewUninitializedFixedArray(capacity);
  array->CopyTo(0, *new_array, 0, array->length());