Range checking bug in typed array constructor.

R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/14850011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14519 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/typedarray.js

@@ -110,7 +110,7 @@ function CreateTypedArrayConstructor(name, elementSize, arrayId, constructor) {
       var newLength = TO_POSITIVE_INTEGER(length);
       newByteLength = newLength * elementSize;
     }
-    if (newByteLength > bufferByteLength) {
+    if (offset + newByteLength > bufferByteLength) {
       throw MakeRangeError("invalid_typed_array_length");
     }
     %TypedArrayInitialize(obj, arrayId, buffer, offset, newByteLength);

test/mjsunit/harmony/typedarrays.js

@@ -192,6 +192,9 @@ function TestTypedArray(proto, elementSize, typicalElement) {
   }
 
   assertThrows(function () { new proto(ab, 256*elementSize); }, RangeError);
+  assertThrows(
+      function () { new proto(ab, 128*elementSize, 192); },
+      RangeError);
 
   if (elementSize !== 1) {
     assertThrows(function() { new proto(ab, 128*elementSize - 1, 10); },