From f6af4e19f521e98bfadbe44dce0918df2e337d41 Mon Sep 17 00:00:00 2001
From: "verwaest@chromium.org"
 <verwaest@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 14 Nov 2013 11:56:03 +0000
Subject: [PATCH] Avoid integer overflow in CopyMap.

R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/63173023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17740 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/factory.cc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/factory.cc b/src/factory.cc
index 6da9a2e..a7cc080 100644
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -626,11 +626,12 @@ Handle<Map> Factory::CopyMap(Handle<Map> src,
   int instance_size_delta = extra_inobject_properties * kPointerSize;
   int max_instance_size_delta =
       JSObject::kMaxInstanceSize - copy->instance_size();
-  if (instance_size_delta > max_instance_size_delta) {
+  int max_extra_properties = max_instance_size_delta >> kPointerSizeLog2;
+  if (extra_inobject_properties > max_extra_properties) {
     // If the instance size overflows, we allocate as many properties
     // as we can as inobject properties.
     instance_size_delta = max_instance_size_delta;
-    extra_inobject_properties = max_instance_size_delta >> kPointerSizeLog2;
+    extra_inobject_properties = max_extra_properties;
   }
   // Adjust the map with the extra inobject properties.
   int inobject_properties =
-- 
2.7.4