YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix heap buffer overflow in Array.prototype.copyWithin (#4211)

Browse Source 
2nd and 3rd argument evaluation of Array.prototype.copyWithin can change
the length of the array as a side-effect. But ES11 spec says that the
algorithm should use the original length. In this case it could happen
that the underlying buffer should be extended.

Fixes #4204

JerryScript-DCO-1.0-Signed-off-by: Csaba Osztrogonác csaba.osztrogonac@h-lab.eu
This commit is contained in:
Csaba Osztrogonác
2020-09-25 15:06:29 +02:00
committed by GitHub
parent bc64957d19
commit de38764e88
4 changed files with 24 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/jerry/es.next/regression-test-issue-4146.js
+5 -4
View File
@@ -32,7 +32,7 @@ Array.prototype.equals = function (array) {
function longDenseArray(){
var a = [0];
for(var i = 0; i < 200; i++){
for(var i = 0; i < 60; i++){
a[i] = i;
}
return a;
@@ -43,7 +43,8 @@ function shorten(){
return 1;
}
var array = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,,,,,,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19];
var currArray = longDenseArray();
assert (currArray.copyWithin (200, {valueOf: shorten}).length == 20)
var array = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19];
assert (currArray.copyWithin(200, {valueOf: shorten}).equals (array))
currArray.copyWithin(25, {valueOf: shorten})
assert (currArray.length == 44)
assert (currArray.equals (array))