[runtime] Throw RangeError if we try to get too many values or entries

Bug: chromium:973363
Change-Id: Id2e46702f73e901df5f26b764d98fb3d4f681a98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657914
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62143}

src/objects/js-objects.cc

@@ -1828,6 +1828,13 @@ V8_WARN_UNUSED_RESULT Maybe<bool> FastGetOwnValuesOrEntries(
   int number_of_own_descriptors = map->NumberOfOwnDescriptors();
   int number_of_own_elements =
       object->GetElementsAccessor()->GetCapacity(*object, object->elements());
+
+  if (number_of_own_elements >
+      FixedArray::kMaxLength - number_of_own_descriptors) {
+    isolate->Throw(*isolate->factory()->NewRangeError(
+        MessageTemplate::kInvalidArrayLength));
+    return Nothing<bool>();
+  }
   Handle<FixedArray> values_or_entries = isolate->factory()->NewFixedArray(
       number_of_own_descriptors + number_of_own_elements);
   int count = 0;

test/mjsunit/regress/regress-crbug-397662.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --mock-arraybuffer-allocator --allow-natives-syntax
+
+var a = new Uint8Array(%MaxSmi() >> 1);
+a.x = 1;
+assertThrows(()=>Object.entries(a), RangeError);