Bug 1322315 - Check arguments length in ICCallStubCompiler::guardFunApply. r=nbp CLOSED TREE
authorHannes Verschore <hv1989@gmail.com>
Thu, 12 Jan 2017 21:14:12 +0100
changeset 374161 81159dae56440e1f412656b7f927d4c503d05384
parent 374160 963adce2ffbe5d8b0cd9acf8bb7fd6e85bde27d4
child 374162 b1c31c4a0a678194931779e0f13fba7b508eb109
child 374206 d8a68016cc26080e21b5d1c13dbc0fbce21a927e
push id6996
push userjlorenzo@mozilla.com
push dateMon, 06 Mar 2017 20:48:21 +0000
treeherdermozilla-beta@d89512dab048 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp
bugs1322315
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1322315 - Check arguments length in ICCallStubCompiler::guardFunApply. r=nbp CLOSED TREE
js/src/jit/BaselineIC.cpp
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -4626,16 +4626,22 @@ ICCallStubCompiler::guardFunApply(MacroA
         // Ensure that the second arg is magic arguments.
         masm.branchTestMagic(Assembler::NotEqual, secondArgSlot, failure);
 
         // Ensure that this frame doesn't have an arguments object.
         masm.branchTest32(Assembler::NonZero,
                           Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfFlags()),
                           Imm32(BaselineFrame::HAS_ARGS_OBJ),
                           failure);
+
+        // Limit the length to something reasonable.
+        masm.branch32(Assembler::Above,
+                      Address(BaselineFrameReg, BaselineFrame::offsetOfNumActualArgs()),
+                      Imm32(ICCall_ScriptedApplyArray::MAX_ARGS_ARRAY_LENGTH),
+                      failure);
     } else {
         MOZ_ASSERT(applyThing == FunApply_Array);
 
         AllocatableGeneralRegisterSet regsx = regs;
 
         // Ensure that the second arg is an array.
         ValueOperand secondArgVal = regsx.takeAnyValue();
         masm.loadValue(secondArgSlot, secondArgVal);