Fix heap buffer overflow in Array.prototype.copyWithin (#4211)
2nd and 3rd argument evaluation of Array.prototype.copyWithin can change the length of the array as a side-effect. But ES11 spec says that the algorithm should use the original length. In this case it could happen that the underlying buffer should be extended. Fixes #4204 JerryScript-DCO-1.0-Signed-off-by: Csaba Osztrogonác csaba.osztrogonac@h-lab.eu
This commit is contained in:
Csaba Osztrogonác
committed by
GitHub
GitHub
parent
bc64957d19
commit
de38764e88
@@ -142,8 +142,6 @@
|
||||
<test id="built-ins/Array/proto-from-ctor-realm-zero.js"><reason></reason></test>
|
||||
<test id="built-ins/Array/prototype/concat/create-proto-from-ctor-realm-array.js"><reason></reason></test>
|
||||
<test id="built-ins/Array/prototype/concat/create-proto-from-ctor-realm-non-array.js"><reason></reason></test>
|
||||
<test id="built-ins/Array/prototype/copyWithin/coerced-values-start-change-start.js"><reason></reason></test>
|
||||
<test id="built-ins/Array/prototype/copyWithin/coerced-values-start-change-target.js"><reason></reason></test>
|
||||
<test id="built-ins/Array/prototype/filter/create-proto-from-ctor-realm-array.js"><reason></reason></test>
|
||||
<test id="built-ins/Array/prototype/filter/create-proto-from-ctor-realm-non-array.js"><reason></reason></test>
|
||||
<test id="built-ins/Array/prototype/map/create-proto-from-ctor-realm-array.js"><reason></reason></test>
|
||||
|
||||
Reference in New Issue
Block a user