Bug 1499366 - Part 2: Check parameter index before increment. r=Yoric
authorTooru Fujisawa <arai_a@mac.com>
Tue, 16 Oct 2018 23:11:56 +0900
changeset 497246 c96e54bae30c098a4b10a42721bf58295a1409f7
parent 497245 bca5f70008c94e9a74c2d8d7272c10edcfa9c404
child 497247 abaa52cda0ad84656583a260f33fb64fe569a4ef
push id9996
push userarchaeopteryx@coole-files.de
push dateThu, 18 Oct 2018 18:37:15 +0000
treeherdermozilla-beta@8efe26839243 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersYoric
bugs1499366
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1499366 - Part 2: Check parameter index before increment. r=Yoric
js/src/frontend/BinSource-auto.cpp
js/src/frontend/BinSource.yaml
--- a/js/src/frontend/BinSource-auto.cpp
+++ b/js/src/frontend/BinSource-auto.cpp
@@ -2323,21 +2323,20 @@ BinASTParser<Tok>::parseInterfaceAsserte
     RootedAtom name(cx_);
     MOZ_TRY_VAR(name, tokenizer_->readIdentifierName());
     // `positionalParams` vector can be shorter than the actual
     // parameter length. Resize on demand.
     // (see also ListOfAssertedMaybePositionalParameterName)
     size_t prevLength = positionalParams.get().length();
     if (index >= prevLength) {
         // This is implementation limit, which is not in the spec.
-        size_t newLength = index + 1;
-        if (newLength >= ARGNO_LIMIT) {
+        if (index >= ARGNO_LIMIT - 1) {
             return raiseError("AssertedPositionalParameterName.index is too big");
         }
-
+        size_t newLength = index + 1;
         BINJS_TRY(positionalParams.get().resize(newLength));
         for (uint32_t i = prevLength; i < newLength; i++) {
             positionalParams.get()[i] = nullptr;
         }
     }
 
     if (positionalParams.get()[index]) {
         return raiseError("AssertedPositionalParameterName has duplicate entry for the same index");
--- a/js/src/frontend/BinSource.yaml
+++ b/js/src/frontend/BinSource.yaml
@@ -283,21 +283,20 @@ AssertedPositionalParameterName:
         name:
             after: |
                 // `positionalParams` vector can be shorter than the actual
                 // parameter length. Resize on demand.
                 // (see also ListOfAssertedMaybePositionalParameterName)
                 size_t prevLength = positionalParams.get().length();
                 if (index >= prevLength) {
                     // This is implementation limit, which is not in the spec.
-                    size_t newLength = index + 1;
-                    if (newLength >= ARGNO_LIMIT) {
+                    if (index >= ARGNO_LIMIT - 1) {
                         return raiseError("AssertedPositionalParameterName.index is too big");
                     }
-
+                    size_t newLength = index + 1;
                     BINJS_TRY(positionalParams.get().resize(newLength));
                     for (uint32_t i = prevLength; i < newLength; i++) {
                         positionalParams.get()[i] = nullptr;
                     }
                 }
 
                 if (positionalParams.get()[index]) {
                     return raiseError("AssertedPositionalParameterName has duplicate entry for the same index");