From: jarin@chromium.org <jarin@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 12 May 2014 11:36:47 +0000 (+0000)
Subject: Guard against stack overflow in Runtime::StringReplaceOneCharWithString.
X-Git-Tag: upstream/4.7.83~9166
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f5c62871b8245c8468e9893795933b7554ee49f9;p=platform%2Fupstream%2Fv8.git

Guard against stack overflow in Runtime::StringReplaceOneCharWithString.

Unfortunately, this only triggers with "ulimit -s 1024" (or less), so we
cannot have an mjsunit test. The test that fails is
test/mjsunit/string-replace-one-char.js on x64.debug.

R=ishell@chromium.org
BUG=

Review URL: https://codereview.chromium.org/264383006

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21262 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/runtime.cc b/src/runtime.cc
index acc711b..ec2834e 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -4295,7 +4295,10 @@ MaybeHandle<String> StringReplaceOneCharWithString(Isolate* isolate,
                                                    Handle<String> replace,
                                                    bool* found,
                                                    int recursion_limit) {
-  if (recursion_limit == 0) return MaybeHandle<String>();
+  StackLimitCheck stackLimitCheck(isolate);
+  if (stackLimitCheck.HasOverflowed() || (recursion_limit == 0)) {
+    return MaybeHandle<String>();
+  }
   recursion_limit--;
   if (subject->IsConsString()) {
     ConsString* cons = ConsString::cast(*subject);