From 6f66664386bce2b4120473158efa456bf5598db0 Mon Sep 17 00:00:00 2001
From: "jkummerow@chromium.org"
 <jkummerow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Wed, 29 Jun 2011 10:27:14 +0000
Subject: [PATCH] Error checking for length parameter of external array
 constructors in shell

BUG=v8:1501

Review URL: http://codereview.chromium.org/7268002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8458 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 samples/shell.cc | 33 +++++++++++++++++++++++++++++----
 src/d8.cc        | 30 ++++++++++++++++++++++++++----
 src/d8.h         |  2 +-
 3 files changed, 56 insertions(+), 9 deletions(-)

diff --git a/samples/shell.cc b/samples/shell.cc
index 950370ada..15c1a5ad7 100644
--- a/samples/shell.cc
+++ b/samples/shell.cc
@@ -497,14 +497,39 @@ void ExternalArrayWeakCallback(v8::Persistent<v8::Value> object, void* data) {
 
 v8::Handle<v8::Value> CreateExternalArray(const v8::Arguments& args,
                                           v8::ExternalArrayType type,
-                                          int element_size) {
+                                          size_t element_size) {
+  ASSERT(element_size == 1 || element_size == 2 || element_size == 4 ||
+         element_size == 8);
   if (args.Length() != 1) {
     return v8::ThrowException(
         v8::String::New("Array constructor needs one parameter."));
   }
-  int length = args[0]->Int32Value();
-  void* data = malloc(length * element_size);
-  memset(data, 0, length * element_size);
+  size_t length = 0;
+  if (args[0]->IsUint32()) {
+    length = args[0]->Uint32Value();
+  } else if (args[0]->IsNumber()) {
+    double raw_length = args[0]->NumberValue();
+    if (raw_length < 0) {
+      return v8::ThrowException(
+          v8::String::New("Array length must not be negative."));
+    }
+    if (raw_length > v8::internal::ExternalArray::kMaxLength) {
+      return v8::ThrowException(
+          v8::String::New("Array length exceeds maximum length."));
+    }
+    length = static_cast<size_t>(raw_length);
+  } else {
+    return v8::ThrowException(
+        v8::String::New("Array length must be a number."));
+  }
+  if (length > static_cast<size_t>(v8::internal::ExternalArray::kMaxLength)) {
+    return v8::ThrowException(
+        v8::String::New("Array length exceeds maximum length."));
+  }
+  void* data = calloc(length, element_size);
+  if (data == NULL) {
+    return v8::ThrowException(v8::String::New("Memory allocation failed."));
+  }
   v8::Handle<v8::Object> array = v8::Object::New();
   v8::Persistent<v8::Object> persistent_array =
       v8::Persistent<v8::Object>::New(array);
diff --git a/src/d8.cc b/src/d8.cc
index 7655aad4b..6f948c6e5 100644
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -223,14 +223,36 @@ Handle<Value> Shell::Load(const Arguments& args) {
 
 Handle<Value> Shell::CreateExternalArray(const Arguments& args,
                                          ExternalArrayType type,
-                                         int element_size) {
+                                         size_t element_size) {
+  ASSERT(element_size == 1 || element_size == 2 || element_size == 4 ||
+         element_size == 8);
   if (args.Length() != 1) {
     return ThrowException(
         String::New("Array constructor needs one parameter."));
   }
-  int length = args[0]->Int32Value();
-  void* data = malloc(length * element_size);
-  memset(data, 0, length * element_size);
+  size_t length = 0;
+  if (args[0]->IsUint32()) {
+    length = args[0]->Uint32Value();
+  } else if (args[0]->IsNumber()) {
+    double raw_length = args[0]->NumberValue();
+    if (raw_length < 0) {
+      return ThrowException(String::New("Array length must not be negative."));
+    }
+    if (raw_length > v8::internal::ExternalArray::kMaxLength) {
+      return ThrowException(
+          String::New("Array length exceeds maximum length."));
+    }
+    length = static_cast<size_t>(raw_length);
+  } else {
+    return ThrowException(String::New("Array length must be a number."));
+  }
+  if (length > static_cast<size_t>(internal::ExternalArray::kMaxLength)) {
+    return ThrowException(String::New("Array length exceeds maximum length."));
+  }
+  void* data = calloc(length, element_size);
+  if (data == NULL) {
+    return ThrowException(String::New("Memory allocation failed."));
+  }
   Handle<Object> array = Object::New();
   Persistent<Object> persistent_array = Persistent<Object>::New(array);
   persistent_array.MakeWeak(data, ExternalArrayWeakCallback);
diff --git a/src/d8.h b/src/d8.h
index f3760e8bc..e22546999 100644
--- a/src/d8.h
+++ b/src/d8.h
@@ -217,7 +217,7 @@ class Shell: public i::AllStatic {
   static Counter* GetCounter(const char* name, bool is_histogram);
   static Handle<Value> CreateExternalArray(const Arguments& args,
                                            ExternalArrayType type,
-                                           int element_size);
+                                           size_t element_size);
   static void ExternalArrayWeakCallback(Persistent<Value> object, void* data);
 };
 
-- 
2.34.1