Bug 1434573 - Limit the number of Formal Parameter and Tagged Tuple. r=Yoric
authorTooru Fujisawa <arai_a@mac.com>
Thu, 04 Oct 2018 10:57:37 +0900
changeset 495305 21b67d2084a65be59d8cfd0b495276bf47b5f899
parent 495304 d678adeaddcd50c3d49c6a4afe3395f1a10853e1
child 495306 cf3a63af2da7a4a855afb8f31e3a68bcd9f2e34e
push id9984
push userffxbld-merge
push dateMon, 15 Oct 2018 21:07:35 +0000
treeherdermozilla-beta@183d27ea8570 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersYoric
bugs1434573
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1434573 - Limit the number of Formal Parameter and Tagged Tuple. r=Yoric
js/src/frontend/BinSource-auto.cpp
js/src/frontend/BinSource.yaml
js/src/frontend/BinTokenReaderTester.cpp
js/src/frontend/BinTokenReaderTester.h
--- a/js/src/frontend/BinSource-auto.cpp
+++ b/js/src/frontend/BinSource-auto.cpp
@@ -8369,16 +8369,19 @@ BinASTParser<Tok>::parseListOfAssertedMa
 {
     uint32_t length;
     AutoList guard(*tokenizer_);
 
     const auto start = tokenizer_->offset();
     MOZ_TRY(tokenizer_->enterList(length, guard));
     (void) start;
     auto result = Ok();
+    if (length >= ARGNO_LIMIT) {
+        return raiseError("Too many function parameters");
+    }
     BINJS_TRY(positionalParams.get().resize(length));
     for (uint32_t i = 0; i < length; i++) {
         positionalParams.get()[i] = nullptr;
     }
 
     for (uint32_t i = 0; i < length; ++i) {
         MOZ_TRY(parseAssertedMaybePositionalParameterName(
             scopeKind, positionalParams));
--- a/js/src/frontend/BinSource.yaml
+++ b/js/src/frontend/BinSource.yaml
@@ -904,16 +904,19 @@ ListOfAssertedMaybePositionalParameterNa
     extra-params: |
         AssertedScopeKind scopeKind,
         MutableHandle<GCVector<JSAtom*>> positionalParams
     extra-args: |
         scopeKind, positionalParams
     init: |
         (void) start;
         auto result = Ok();
+        if (length >= ARGNO_LIMIT) {
+            return raiseError("Too many function parameters");
+        }
         BINJS_TRY(positionalParams.get().resize(length));
         for (uint32_t i = 0; i < length; i++) {
             positionalParams.get()[i] = nullptr;
         }
 
 ListOfAssertedDeclaredName:
     inherits: ListOfAssertedBoundName
 
--- a/js/src/frontend/BinTokenReaderTester.cpp
+++ b/js/src/frontend/BinTokenReaderTester.cpp
@@ -291,16 +291,20 @@ BinTokenReaderTester::enterTaggedTuple(B
 
         // else
         return raiseError("Invalid tag");
     } while(false);
 
     // Now fields.
     BINJS_MOZ_TRY_DECL(fieldNum, readInternalUint32());
 
+    if (fieldNum > FIELD_NUM_MAX) {
+        return raiseError("Too many fields");
+    }
+
     fields.clear();
     if (!fields.reserve(fieldNum)) {
         return raiseOOM();
     }
 
     for (uint32_t i = 0; i < fieldNum; ++i) {
         // This would probably be much faster with a HashTable, but we don't
         // really care about the speed of BinTokenReaderTester.
--- a/js/src/frontend/BinTokenReaderTester.h
+++ b/js/src/frontend/BinTokenReaderTester.h
@@ -59,16 +59,19 @@ class MOZ_STACK_CLASS BinTokenReaderTest
     // they are valid UTF-8. Future versions may replace this by slice into
     // the buffer.
     using Chars     = Vector<uint8_t, 32>;
 
     class AutoList;
     class AutoTuple;
     class AutoTaggedTuple;
 
+    // The maximum number of fields in single tagged tuple.
+    static const uint32_t FIELD_NUM_MAX = 32;
+
   public:
     /**
      * Construct a token reader.
      *
      * Does NOT copy the buffer.
      */
     BinTokenReaderTester(JSContext* cx, ErrorReporter* er, const uint8_t* start, const size_t length);