Bug 824648: Add range-check & unsigned cast before comparing signed arg to unsigned array-length, in VMFunctions.cpp's CharCodeAt() impl. r=nbp
authorDaniel Holbert <dholbert@cs.stanford.edu>
Wed, 26 Dec 2012 09:29:19 -0800
changeset 126156 47a6822f5e3f28436eabf6b1b065959234e02d90
parent 126153 d29b182e169ee1245729e2a45817e09b424df9de
child 126157 a4a6940f56450c6e94d38e33a9a5a9a56cb1b076
push id2151
push userlsblakk@mozilla.com
push dateTue, 19 Feb 2013 18:06:57 +0000
treeherdermozilla-beta@4952e88741ec [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp
bugs824648
milestone20.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 824648: Add range-check & unsigned cast before comparing signed arg to unsigned array-length, in VMFunctions.cpp's CharCodeAt() impl. r=nbp
js/src/ion/VMFunctions.cpp
--- a/js/src/ion/VMFunctions.cpp
+++ b/js/src/ion/VMFunctions.cpp
@@ -359,17 +359,18 @@ ArrayConcatDense(JSContext *cx, HandleOb
     if (!js::array_concat(cx, 1, argv))
         return NULL;
     return &argv[0].toObject();
 }
 
 bool
 CharCodeAt(JSContext *cx, HandleString str, int32_t index, uint32_t *code)
 {
-    JS_ASSERT(index < str->length());
+    JS_ASSERT(index >= 0 &&
+              static_cast<uint32_t>(index) < str->length());
 
     const jschar *chars = str->getChars(cx);
     if (!chars)
         return false;
 
     *code = chars[index];
     return true;
 }