jerryscript

YourWishes/jerryscript

Fork 0

Commit Graph

Author	SHA1	Message	Date
Csaba Osztrogonác	de38764e88	Fix heap buffer overflow in Array.prototype.copyWithin (#4211 ) 2nd and 3rd argument evaluation of Array.prototype.copyWithin can change the length of the array as a side-effect. But ES11 spec says that the algorithm should use the original length. In this case it could happen that the underlying buffer should be extended. Fixes #4204 JerryScript-DCO-1.0-Signed-off-by: Csaba Osztrogonác csaba.osztrogonac@h-lab.eu	2020-09-25 15:06:29 +02:00
kisbg	a470fef8a5	Add length check in copy_within's fast path (#4168 ) fixes #4146 JerryScript-DCO-1.0-Signed-off-by: bence gabor kis kisbg@inf.u-szeged.hu	2020-08-28 10:55:26 +02:00

Author

SHA1

Message

Date

Csaba Osztrogonác

de38764e88

Fix heap buffer overflow in Array.prototype.copyWithin (#4211 )

2nd and 3rd argument evaluation of Array.prototype.copyWithin can change
the length of the array as a side-effect. But ES11 spec says that the
algorithm should use the original length. In this case it could happen
that the underlying buffer should be extended.

Fixes #4204

JerryScript-DCO-1.0-Signed-off-by: Csaba Osztrogonác csaba.osztrogonac@h-lab.eu

2020-09-25 15:06:29 +02:00

kisbg

a470fef8a5

Add length check in copy_within's fast path (#4168 )

fixes #4146

JerryScript-DCO-1.0-Signed-off-by: bence gabor kis kisbg@inf.u-szeged.hu

2020-08-28 10:55:26 +02:00

2 Commits