shithub: libmujs

Download patch

ref: 4006739a28367c708dea19aeb19b8a1a9326ce08
parent: 8f62ea10a0af68e56d5c00720523ebcba13c2e6a
author: Tor Andersson <tor.andersson@gmail.com>
date: Tue Jan 24 09:42:36 EST 2017

Fix 697497: Ensure array length is positive.

As a side effect when changing to using regular integers (and avoid the
nightmare of mixing signed and unsigned) we accidentally allowed negative
array lengths.

--- a/jsrun.c

+++ b/jsrun.c

@@ -544,7 +544,7 @@

 		if (!strcmp(name, "length")) {

 			double rawlen = jsV_tonumber(J, value);

 			int newlen = jsV_numbertointeger(rawlen);

-			if (newlen != rawlen)

+			if (newlen != rawlen || newlen < 0)

 				js_rangeerror(J, "array length");

 			jsV_resizearray(J, obj, newlen);

 			return;