RESOLVED FIXED 62405
Fix integer overflow in Array.prototype.push 
https://bugs.webkit.org/show_bug.cgi?id=62405
Summary Fix integer overflow in Array.prototype.push
Gavin Barraclough
Reported 2011-06-09 14:21:07 PDT
There are three integer overflows here, leading to safe (not a security risk) but incorrect (non-spec-compliant) behaviour. Two overflows occur when calculating the new length after pushing (one in the fast version of push in JSArray, one in the generic version in ArrayPrototype). The other occurs calculating indices to write to when multiple items are pushed. These errors result in three test-262 failures.
Attachments
The patch (3.66 KB, patch)
2011-06-09 16:33 PDT, Gavin Barraclough 		no flags
DetailsFormatted DiffDiff
Patch with updated LayoutTest results. (7.03 KB, patch)
2011-06-09 16:35 PDT, Gavin Barraclough 		oliver: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Gavin Barraclough
Comment 1 2011-06-09 16:33:56 PDT
Created attachment 96660 [details] The patch
Gavin Barraclough
Comment 2 2011-06-09 16:35:06 PDT
Created attachment 96661 [details] Patch with updated LayoutTest results.
WebKit Review Bot
Comment 3 2011-06-09 16:35:34 PDT
Attachment 96660 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1 Source/JavaScriptCore/ChangeLog:1: ChangeLog entry has no bug number [changelog/bugnumber] [5] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
WebKit Review Bot
Comment 4 2011-06-09 16:38:26 PDT
Attachment 96661 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/sput..." exit_code: 1 Source/JavaScriptCore/ChangeLog:1: ChangeLog entry has no bug number [changelog/bugnumber] [5] LayoutTests/ChangeLog:1: ChangeLog entry has no bug number [changelog/bugnumber] [5] Total errors found: 2 in 7 files If any of these errors are false positives, please file a bug against check-webkit-style.
Oliver Hunt
Comment 5 2011-06-09 16:41:06 PDT
Comment on attachment 96661 [details] Patch with updated LayoutTest results. r=me
Geoffrey Garen
Comment 6 2011-06-09 16:42:01 PDT
r=me > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:410 > + Identifier propertyName(exec, JSValue((int64_t)length + (int64_t)n).toString(exec)); static_cast, please. > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:414 > + JSValue newLength = jsNumber((int64_t)length + (int64_t)exec->argumentCount()); Ditto.
Gavin Barraclough
Comment 7 2011-06-09 17:08:41 PDT
Fixed in r88503
Gavin Barraclough
Comment 8 2012-03-12 14:33:40 PDT
*** Bug 55033 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.