constructGenericTypedArrayViewWithArguments() is missing an exception check.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Sep 2017 00:57:35 +0000 (00:57 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Sep 2017 00:57:35 +0000 (00:57 +0000)
https://bugs.webkit.org/show_bug.cgi?id=176485
<rdar://problem/33898874>

Reviewed by Keith Miller.

JSTests:

* stress/regress-176485.js: Added.

Source/JavaScriptCore:

* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221711 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-176485.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

index e9881fd..f446186 100644 (file)
@@ -1,3 +1,13 @@
+2017-09-06  Mark Lam  <mark.lam@apple.com>
+
+        constructGenericTypedArrayViewWithArguments() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=176485
+        <rdar://problem/33898874>
+
+        Reviewed by Keith Miller.
+
+        * stress/regress-176485.js: Added.
+
 2017-09-05  Saam Barati  <sbarati@apple.com>
 
         isNotCellSpeculation is wrong with respect to SpecEmpty
diff --git a/JSTests/stress/regress-176485.js b/JSTests/stress/regress-176485.js
new file mode 100644 (file)
index 0000000..20fe843
--- /dev/null
@@ -0,0 +1,11 @@
+var exception;
+try {
+    a2 = {};//some method ok//what ever object//Date()
+    Object.defineProperty(a2, "length",{get: Int32Array});//Int32Array here wrong,need a function
+    new Int32Array(this.a2);
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "TypeError: calling Int32Array constructor without new is invalid")
+    throw "Exception not thrown";
index 52db10b..fec7739 100644 (file)
@@ -1,3 +1,14 @@
+2017-09-06  Mark Lam  <mark.lam@apple.com>
+
+        constructGenericTypedArrayViewWithArguments() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=176485
+        <rdar://problem/33898874>
+
+        Reviewed by Keith Miller.
+
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewWithArguments):
+
 2017-09-06  Saam Barati  <sbarati@apple.com>
 
         Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
index c1c7892..0eae871 100644 (file)
@@ -185,8 +185,14 @@ inline JSObject* constructGenericTypedArrayViewWithArguments(ExecState* exec, St
                     return constructGenericTypedArrayViewFromIterator<ViewClass>(exec, structure, iterator);
             }
 
-            length = lengthSlot.isUnset() ? 0 : lengthSlot.getValue(exec, vm.propertyNames->length).toUInt32(exec);
-            RETURN_IF_EXCEPTION(scope, nullptr);
+            if (lengthSlot.isUnset())
+                length = 0;
+            else {
+                JSValue value = lengthSlot.getValue(exec, vm.propertyNames->length);
+                RETURN_IF_EXCEPTION(scope, nullptr);
+                length = value.toUInt32(exec);
+                RETURN_IF_EXCEPTION(scope, nullptr);
+            }
         }