YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix unchecked size number conversion in ArrayBuffer (#1479)

Browse Source 
Free_value after ecma_op_to_number and a related test file.

JerryScript-DCO-1.0-Signed-off-by: Zidong Jiang zidong.jiang@intel.com
This commit is contained in:
Zidong Jiang
2016-12-09 21:54:34 +08:00
committed by Zoltan Herczeg
parent 3ec395ff76
commit 551aaa58e6
4 changed files with 93 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jerry-core/ecma/operations/ecma-arraybuffer-object.c
+12 -2
View File
@@ -14,7 +14,7 @@
*/
#include "ecma-arraybuffer-object.h"
#include "ecma-conversion.h"
#include "ecma-try-catch-macro.h"
#include "ecma-objects.h"
#include "ecma-builtins.h"
#include "ecma-exceptions.h"
@@ -50,12 +50,22 @@ ecma_op_create_arraybuffer_object (const ecma_value_t *arguments_list_p, /**< li
if (arguments_list_len > 0)
{
ecma_number_t num = ecma_get_number_from_value (ecma_op_to_number (arguments_list_p[0]));
ecma_value_t ret = ecma_make_simple_value (ECMA_SIMPLE_VALUE_EMPTY);
ECMA_OP_TO_NUMBER_TRY_CATCH (num, arguments_list_p[0], ret);
length = ecma_number_to_uint32 (num);
if (num != ((ecma_number_t) length))
{
return ecma_raise_range_error (ECMA_ERR_MSG ("Invalid ArrayBuffer length."));
}
ECMA_OP_TO_NUMBER_FINALIZE (num);
if (!ecma_is_value_empty (ret))
{
return ret;
}
}
ecma_object_t *object_p = ecma_arraybuffer_new_object (length);