Bug 1499366 - Part 2: Check parameter index before increment. r=Yoric
authorTooru Fujisawa <arai_a@mac.com>
Tue, 16 Oct 2018 23:11:56 +0900
changeset 489770 c96e54bae30c098a4b10a42721bf58295a1409f7
parent 489769 bca5f70008c94e9a74c2d8d7272c10edcfa9c404
child 489771 abaa52cda0ad84656583a260f33fb64fe569a4ef
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewersYoric
bugs1499366
milestone64.0a1
Bug 1499366 - Part 2: Check parameter index before increment. r=Yoric
js/src/frontend/BinSource-auto.cpp
js/src/frontend/BinSource.yaml
--- a/js/src/frontend/BinSource-auto.cpp
+++ b/js/src/frontend/BinSource-auto.cpp
@@ -2323,21 +2323,20 @@ BinASTParser<Tok>::parseInterfaceAsserte
     RootedAtom name(cx_);
     MOZ_TRY_VAR(name, tokenizer_->readIdentifierName());
     // `positionalParams` vector can be shorter than the actual
     // parameter length. Resize on demand.
     // (see also ListOfAssertedMaybePositionalParameterName)
     size_t prevLength = positionalParams.get().length();
     if (index >= prevLength) {
         // This is implementation limit, which is not in the spec.
-        size_t newLength = index + 1;
-        if (newLength >= ARGNO_LIMIT) {
+        if (index >= ARGNO_LIMIT - 1) {
             return raiseError("AssertedPositionalParameterName.index is too big");
         }
-
+        size_t newLength = index + 1;
         BINJS_TRY(positionalParams.get().resize(newLength));
         for (uint32_t i = prevLength; i < newLength; i++) {
             positionalParams.get()[i] = nullptr;
         }
     }
 
     if (positionalParams.get()[index]) {
         return raiseError("AssertedPositionalParameterName has duplicate entry for the same index");
--- a/js/src/frontend/BinSource.yaml
+++ b/js/src/frontend/BinSource.yaml
@@ -283,21 +283,20 @@ AssertedPositionalParameterName:
         name:
             after: |
                 // `positionalParams` vector can be shorter than the actual
                 // parameter length. Resize on demand.
                 // (see also ListOfAssertedMaybePositionalParameterName)
                 size_t prevLength = positionalParams.get().length();
                 if (index >= prevLength) {
                     // This is implementation limit, which is not in the spec.
-                    size_t newLength = index + 1;
-                    if (newLength >= ARGNO_LIMIT) {
+                    if (index >= ARGNO_LIMIT - 1) {
                         return raiseError("AssertedPositionalParameterName.index is too big");
                     }
-
+                    size_t newLength = index + 1;
                     BINJS_TRY(positionalParams.get().resize(newLength));
                     for (uint32_t i = prevLength; i < newLength; i++) {
                         positionalParams.get()[i] = nullptr;
                     }
                 }
 
                 if (positionalParams.get()[index]) {
                     return raiseError("AssertedPositionalParameterName has duplicate entry for the same index");