projects / platform / upstream / v8.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aefa2a2)
Runtime CHECK for overflow in NewTypedArray.
authordslomov@chromium.org <dslomov@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Thu, 14 Nov 2013 11:52:24 +0000 (11:52 +0000)
committerdslomov@chromium.org <dslomov@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Thu, 14 Nov 2013 11:52:24 +0000 (11:52 +0000)
R=ulan@chromium.org

Review URL: https://codereview.chromium.org/62713006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17739 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/api.cc patch | blob | history

diff --git a/src/api.cc b/src/api.cc
index 4a405a978b3d80fb7e8f1f6a9e338cfb740e4298..736f0b00d7ac833ca3409ebd703a90f8ef49a5bc 100644 (file)
--- a/src/api.cc
+++ b/src/api.cc
@@ -6132,8 +6132,10 @@ i::Handle<i::JSTypedArray> NewTypedArray(
 
   ASSERT(byte_offset % sizeof(ElementType) == 0);
 
+  CHECK(length <= (std::numeric_limits<size_t>::max() / sizeof(ElementType)));
+  size_t byte_length = length * sizeof(ElementType);
   SetupArrayBufferView(
-      isolate, obj, buffer, byte_offset, length * sizeof(ElementType));
+      isolate, obj, buffer, byte_offset, byte_length);
 
   i::Handle<i::Object> length_object =
     isolate->factory()->NewNumberFromSize(length);
Domain: Web Framework / Web Engine;