Skip to content
  • barraclough@apple.com's avatar
    Bug 62405 - Fix integer overflow in Array.prototype.push · 404b4006
    barraclough@apple.com authored
    Reviewed by Oliver Hunt.
    
    There are three integer overflows here, leading to safe (not a security risk)
    but incorrect (non-spec-compliant) behaviour.
    
    Two overflows occur when calculating the new length after pushing (one in the
    fast version of push in JSArray, one in the generic version in ArrayPrototype).
    The other occurs calculating indices to write to when multiple items are pushed.
    
    These errors result in three test-262 failures.
    
    Source/JavaScriptCore: 
    
    * runtime/ArrayPrototype.cpp:
    (JSC::arrayProtoFuncPush):
    * runtime/JSArray.cpp:
    (JSC::JSArray::put):
    (JSC::JSArray::push):
    
    LayoutTests: 
    
    * sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T2-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.7_Array_prototype_push/S15.4.4.7_A4_T3-expected.txt:
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@88503 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    404b4006