ref: 40b73014d9b41c48f689b80605ce5c9c37fa71cc
parent: dbc0931a5ca5178ad9839819ea7965f29c6a1ba6
author: Tor Andersson <[email protected]>
date: Mon Jul 23 07:30:22 EDT 2018
Fix 699549: Integer overflow in Array.prototype.sort(). Check size calculation for overflow before allocating memory buffer.
--- a/jsarray.c
+++ b/jsarray.c
@@ -296,6 +296,9 @@
return;
}
+ if (len >= INT_MAX / (int)sizeof(*array))
+ js_rangeerror(J, "array is too large to sort");
+
array = js_malloc(J, len * sizeof *array);
if (js_try(J)) {
js_free(J, array);
--- a/jsrun.c
+++ b/jsrun.c
@@ -446,7 +446,7 @@
while (*p) {
int c = *p++;
if (c >= '0' && c <= '9') {
- if (n > INT_MAX / 10 - 1)
+ if (n >= INT_MAX / 10)
return 0;
n = n * 10 + (c - '0');
} else {
@@ -553,7 +553,7 @@
double rawlen = jsV_tonumber(J, value);
int newlen = jsV_numbertointeger(rawlen);
if (newlen != rawlen || newlen < 0)
- js_rangeerror(J, "array length");
+ js_rangeerror(J, "invalid array length");
jsV_resizearray(J, obj, newlen);
return;
}