Bug 1322315 - Check arguments length in ICCallStubCompiler::guardFunApply. r=nbp, a=lizzard
authorHannes Verschore <hv1989@gmail.com>
Thu, 12 Jan 2017 21:14:12 +0100
changeset 353563 21a5859e934a4aef578bb8ad0595cac0416164a6
parent 353562 98ecf719163d1c0cf19359186ab1cac6f34bb621
child 353564 5be69f2ff0164ed5e53ac7fd70f88b220a1d6ade
push id6795
push userjlund@mozilla.com
push dateMon, 23 Jan 2017 14:19:46 +0000
treeherdermozilla-esr52@76101b503191 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp, lizzard
bugs1322315
milestone52.0a2
Bug 1322315 - Check arguments length in ICCallStubCompiler::guardFunApply. r=nbp, a=lizzard
js/src/jit/BaselineIC.cpp
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -6250,16 +6250,22 @@ ICCallStubCompiler::guardFunApply(MacroA
         // Ensure that the second arg is magic arguments.
         masm.branchTestMagic(Assembler::NotEqual, secondArgSlot, failure);
 
         // Ensure that this frame doesn't have an arguments object.
         masm.branchTest32(Assembler::NonZero,
                           Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfFlags()),
                           Imm32(BaselineFrame::HAS_ARGS_OBJ),
                           failure);
+
+        // Limit the length to something reasonable.
+        masm.branch32(Assembler::Above,
+                      Address(BaselineFrameReg, BaselineFrame::offsetOfNumActualArgs()),
+                      Imm32(ICCall_ScriptedApplyArray::MAX_ARGS_ARRAY_LENGTH),
+                      failure);
     } else {
         MOZ_ASSERT(applyThing == FunApply_Array);
 
         AllocatableGeneralRegisterSet regsx = regs;
 
         // Ensure that the second arg is an array.
         ValueOperand secondArgVal = regsx.takeAnyValue();
         masm.loadValue(secondArgSlot, secondArgVal);