Bug 1161298 - missing length guard on SAB. r=bbouvier
authorLars T Hansen <lhansen@mozilla.com>
Thu, 07 May 2015 11:02:12 +0200
changeset 274105 480e59b8e40668eab3117692513ce56c91dfe734
parent 274104 9ce400f5f5b45d3a996d8e793c755d08fe046f51
child 274106 f3bc38042efe458ebb5c8de622ad997914e56e12
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbbouvier
bugs1161298
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1161298 - missing length guard on SAB. r=bbouvier
js/src/jit-test/tests/asm.js/bug1161298.js
js/src/vm/SharedArrayObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/asm.js/bug1161298.js
@@ -0,0 +1,13 @@
+// The length exceeds INT32_MAX and should be rejected.
+
+if (!this.SharedArrayBuffer)
+    quit(0);
+
+var failed = false;
+try {
+    var sab = new SharedArrayBuffer((2147483648));
+}
+catch (e) {
+    failed = true;
+}
+assertEq(failed, true);
--- a/js/src/vm/SharedArrayObject.cpp
+++ b/js/src/vm/SharedArrayObject.cpp
@@ -211,22 +211,21 @@ SharedArrayBufferObject::class_construct
         if (args.hasDefined(0) && IsObjectWithClass(args[0], ESClass_SharedArrayBuffer, cx)) {
             args.rval().set(args[0]);
             return true;
         }
         JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_SHARED_ARRAY_BAD_OBJECT);
         return false;
     }
 
+    // Bugs 1068458, 1161298: Limit length to 2^31-1.
     uint32_t length;
-    bool overflow;
-    if (!ToLengthClamped(cx, args.get(0), &length, &overflow)) {
-        // Bug 1068458: Limit length to 2^31-1.
-        if (overflow || length > INT32_MAX)
-            JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_SHARED_ARRAY_BAD_LENGTH);
+    bool overflow_unused;
+    if (!ToLengthClamped(cx, args.get(0), &length, &overflow_unused) || length > INT32_MAX) {
+        JS_ReportErrorNumber(cx, GetErrorMessage, nullptr, JSMSG_SHARED_ARRAY_BAD_LENGTH);
         return false;
     }
 
     JSObject* bufobj = New(cx, length);
     if (!bufobj)
         return false;
     args.rval().setObject(*bufobj);
     return true;