From 163ad9ff4322dd8af79ef7b94b2648c1028979c5 Mon Sep 17 00:00:00 2001
From: "dslomov@chromium.org"
 <dslomov@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 7 Apr 2014 05:54:32 +0000
Subject: [PATCH] Make TypedArray::New fucntions crash on wrong lengths.

R=jkummerow@chromium.org
BUG=359802
LOG=N

Review URL: https://codereview.chromium.org/225983005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20525 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/api.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/api.cc b/src/api.cc
index 75c67e0..538bf8c 100644
--- a/src/api.cc
+++ b/src/api.cc
@@ -6075,6 +6075,7 @@ i::Handle<i::JSTypedArray> NewTypedArray(
   ASSERT(byte_offset % sizeof(ElementType) == 0);
 
   CHECK(length <= (std::numeric_limits<size_t>::max() / sizeof(ElementType)));
+  CHECK(length <= static_cast<size_t>(i::Smi::kMaxValue));
   size_t byte_length = length * sizeof(ElementType);
   SetupArrayBufferView(
       isolate, obj, buffer, byte_offset, byte_length);
@@ -6103,6 +6104,11 @@ i::Handle<i::JSTypedArray> NewTypedArray(
     LOG_API(isolate,                                                         \
         "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)");     \
     ENTER_V8(isolate);                                                       \
+    if (!Utils::ApiCheck(length <= static_cast<size_t>(i::Smi::kMaxValue),   \
+            "v8::" #Type "Array::New(Handle<ArrayBuffer>, size_t, size_t)",  \
+            "length exceeds max allowed value")) {                           \
+      return Local<Type##Array>();                                          \
+    }                                                                        \
     i::Handle<i::JSTypedArray> obj =                                         \
         NewTypedArray<ctype, v8::kExternal##Type##Array,                     \
                       i::EXTERNAL_##TYPE##_ELEMENTS>(                        \
-- 
2.7.4