Changeset 51128 in webkit for trunk/JavaScriptCore/interpreter


Ignore:
Timestamp:
Nov 18, 2009, 12:46:10 PM (16 years ago)
Author:
[email protected]
Message:

Interpreter may do an out of range access when throwing an exception in the profiler.
https://bugs.webkit.org/show_bug.cgi?id=31635

Reviewed by Alexey Proskuryakov.

Add bounds check.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/interpreter/Interpreter.cpp

    r50916 r51128  
    538538        if (isCallBytecode(codeBlock->instructions()[bytecodeOffset].u.opcode))
    539539            profiler->didExecute(callFrame, callFrame->r(codeBlock->instructions()[bytecodeOffset + 2].u.operand).jsValue());
    540         else if (codeBlock->instructions()[bytecodeOffset + 8].u.opcode == getOpcode(op_construct))
     540        else if (codeBlock->instructions().size() > (bytecodeOffset + 8) && codeBlock->instructions()[bytecodeOffset + 8].u.opcode == getOpcode(op_construct))
    541541            profiler->didExecute(callFrame, callFrame->r(codeBlock->instructions()[bytecodeOffset + 10].u.operand).jsValue());
    542542#else
Note: See TracChangeset for help on using the changeset viewer.