Avoid integer overflow in CopyMap.

R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/63173023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17740 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/factory.cc

@@ -626,11 +626,12 @@ Handle<Map> Factory::CopyMap(Handle<Map> src,
   int instance_size_delta = extra_inobject_properties * kPointerSize;
   int max_instance_size_delta =
       JSObject::kMaxInstanceSize - copy->instance_size();
-  if (instance_size_delta > max_instance_size_delta) {
+  int max_extra_properties = max_instance_size_delta >> kPointerSizeLog2;
+  if (extra_inobject_properties > max_extra_properties) {
     // If the instance size overflows, we allocate as many properties
     // as we can as inobject properties.
     instance_size_delta = max_instance_size_delta;
-    extra_inobject_properties = max_instance_size_delta >> kPointerSizeLog2;
+    extra_inobject_properties = max_extra_properties;
   }
   // Adjust the map with the extra inobject properties.
   int inobject_properties =