Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
authorrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 May 2018 16:03:54 +0000 (16:03 +0000)
committerrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 May 2018 16:03:54 +0000 (16:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184772
<rdar://problem/39146327>

Reviewed by Filip Pizlo.

Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
This patch now makes sure that the check correctly detects if there is an integer overflow.

* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountWithAnyIndexingType):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231198 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp

index 998844b..e1c3d21 100644 (file)
@@ -1,5 +1,19 @@
 2018-05-01  Robin Morisset  <rmorisset@apple.com>
 
+        Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
+        https://bugs.webkit.org/show_bug.cgi?id=184772
+        <rdar://problem/39146327>
+
+        Reviewed by Filip Pizlo.
+
+        Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (<rdar://problem/38464399), where a check was missing.
+        This patch now makes sure that the check correctly detects if there is an integer overflow.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+
+2018-05-01  Robin Morisset  <rmorisset@apple.com>
+
         Correctly detect string overflow when using the 'Function' constructor
         https://bugs.webkit.org/show_bug.cgi?id=184883
         <rdar://problem/36320331>
index 4260ca4..78bef94 100644 (file)
@@ -1063,10 +1063,16 @@ bool JSArray::unshiftCountWithAnyIndexingType(ExecState* exec, unsigned startInd
             return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm));
         }
 
-        if (oldLength + count > MAX_STORAGE_VECTOR_LENGTH)
+        Checked<unsigned, RecordOverflow> checkedLength(oldLength);
+        checkedLength += count;
+        unsigned newLength;
+        if (CheckedState::DidOverflow == checkedLength.safeGet(newLength)) {
+            throwOutOfMemoryError(exec, scope);
+            return true;
+        }
+        if (newLength > MAX_STORAGE_VECTOR_LENGTH)
             return false;
-
-        if (!ensureLength(vm, oldLength + count)) {
+        if (!ensureLength(vm, newLength)) {
             throwOutOfMemoryError(exec, scope);
             return true;
         }
@@ -1110,10 +1116,16 @@ bool JSArray::unshiftCountWithAnyIndexingType(ExecState* exec, unsigned startInd
             return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm));
         }
 
-        if (oldLength + count > MAX_STORAGE_VECTOR_LENGTH)
+        Checked<unsigned, RecordOverflow> checkedLength(oldLength);
+        checkedLength += count;
+        unsigned newLength;
+        if (CheckedState::DidOverflow == checkedLength.safeGet(newLength)) {
+            throwOutOfMemoryError(exec, scope);
+            return true;
+        }
+        if (newLength > MAX_STORAGE_VECTOR_LENGTH)
             return false;
-
-        if (!ensureLength(vm, oldLength + count)) {
+        if (!ensureLength(vm, newLength)) {
             throwOutOfMemoryError(exec, scope);
             return true;
         }