Bug 62405 - Fix integer overflow in Array.prototype.push
authorbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 Jun 2011 23:46:54 +0000 (23:46 +0000)
committerbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 Jun 2011 23:46:54 +0000 (23:46 +0000)
commit5c6db8b49cf8f1fc86f62bdd16f0c4bada55908c
tree45984d1e4edb4cbcef09dcde9ed55cd4099c94fa
parentbd13f4e61a7ad95b62eee512a2d6306f30ebdfbf
Bug 62405 - Fix integer overflow in Array.prototype.push

Reviewed by Oliver Hunt.

There are three integer overflows here, leading to safe (not a security risk)
but incorrect (non-spec-compliant) behaviour.

Two overflows occur when calculating the new length after pushing (one in the
fast version of push in JSArray, one in the generic version in ArrayPrototype).
The other occurs calculating indices to write to when multiple items are pushed.

These errors result in three test-262 failures.

Source/JavaScriptCore:

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncPush):
* runtime/JSArray.cpp:
(JSC::JSArray::put):
(JSC::JSArray::push):

LayoutTests:

* sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T2-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T3-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@88503 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T2-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T3-expected.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/JSArray.cpp