From: dslomov@chromium.org <dslomov@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 2 May 2013 13:30:57 +0000 (+0000)
Subject: Range checking bug in typed array constructor.
X-Git-Tag: upstream/4.7.83~14369
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=343bf3391830b04e1a0eb1847ef92f1454c774d1;p=platform%2Fupstream%2Fv8.git

Range checking bug in typed array constructor.

R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14850011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14519 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/typedarray.js b/src/typedarray.js
index 5910605..e105afc 100644
--- a/src/typedarray.js
+++ b/src/typedarray.js
@@ -110,7 +110,7 @@ function CreateTypedArrayConstructor(name, elementSize, arrayId, constructor) {
       var newLength = TO_POSITIVE_INTEGER(length);
       newByteLength = newLength * elementSize;
     }
-    if (newByteLength > bufferByteLength) {
+    if (offset + newByteLength > bufferByteLength) {
       throw MakeRangeError("invalid_typed_array_length");
     }
     %TypedArrayInitialize(obj, arrayId, buffer, offset, newByteLength);
diff --git a/test/mjsunit/harmony/typedarrays.js b/test/mjsunit/harmony/typedarrays.js
index c868d11..21c6054 100644
--- a/test/mjsunit/harmony/typedarrays.js
+++ b/test/mjsunit/harmony/typedarrays.js
@@ -192,6 +192,9 @@ function TestTypedArray(proto, elementSize, typicalElement) {
   }
 
   assertThrows(function () { new proto(ab, 256*elementSize); }, RangeError);
+  assertThrows(
+      function () { new proto(ab, 128*elementSize, 192); },
+      RangeError);
 
   if (elementSize !== 1) {
     assertThrows(function() { new proto(ab, 128*elementSize - 1, 10); },