Bug 62405 - Fix integer overflow in Array.prototype.push
authorGavin Barraclough <barraclough@apple.com>
Thu, 9 Jun 2011 23:46:54 +0000 (23:46 +0000)
committerAdemar de Souza Reis Jr <ademar.reis@openbossa.org>
Fri, 10 Jun 2011 13:06:27 +0000 (10:06 -0300)
commitd322e51bdc0f4432c9438938b949c6bf19ab8698
treeedc6f37c129654eb83286619d250b3d7817e4490
parent9b9da6b5e9abf0352d75545442f2a1d967d9f18b
Bug 62405 - Fix integer overflow in Array.prototype.push

Reviewed by Oliver Hunt.

There are three integer overflows here, leading to safe (not a security risk)
but incorrect (non-spec-compliant) behaviour.

Two overflows occur when calculating the new length after pushing (one in the
fast version of push in JSArray, one in the generic version in ArrayPrototype).
The other occurs calculating indices to write to when multiple items are pushed.

These errors result in three test-262 failures.

Source/JavaScriptCore:

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncPush):
* runtime/JSArray.cpp:
(JSC::JSArray::put):
(JSC::JSArray::push):

LayoutTests:

* sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T2-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T3-expected.txt:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@88503 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T2-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T3-expected.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/JSArray.cpp