Changeset 7059 in webkit for trunk/JavaScriptCore/kjs/array_object.cpp

Timestamp:

Jul 19, 2004, 4:43:54 PM (21 years ago)

Author:

sullivan

Message:

Reviewed by Maciej.

• bulletproofed array.slice() against NAN arguments. Harri noticed this vulnerability in my patch for 3714644

• kjs/array_object.cpp: (ArrayProtoFuncImp::call): handle NAN parameters passed to slice() by clamping to 0 and length.

File:

• trunk/JavaScriptCore/kjs/array_object.cpp (modified) (2 diffs)

trunk/JavaScriptCore/kjs/array_object.cpp

@@ -584 +584 @@
     if (args[0].type() != UndefinedType) {
         begin = args[0].toInteger(exec);
+        if (isnan(begin)) {
+            begin = 0;
+        }
         if (begin < 0) {
             begin += length;
@@ -596 +599 @@
     if (args[1].type() != UndefinedType) {
       end = args[1].toInteger(exec);
-      if (end < 0) {
+      if (isnan(end)) {
+        end = length;
+      } else if (end < 0) {
         end += length;
         if (end < 0)