From 36e1e46016fe95eb7a7fe68811de6a43a202ea2a Mon Sep 17 00:00:00 2001
From: Leszek Swirski <leszeks@chromium.org>
Date: Thu, 8 Nov 2018 13:47:54 +0100
Subject: [PATCH] [parser] Fix off-by-one in parameter count check

Bug: chromium:902610
Change-Id: I4675e3089a09ee75aa81ba2958f30a17621a537e
Reviewed-on: https://chromium-review.googlesource.com/c/1326029
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57358}
---
 src/message-template.h                       |  2 +-
 src/parsing/parser-base.h                    |  3 ++-
 test/mjsunit/regress/regress-crbug-902610.js | 11 +++++++++++
 3 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-902610.js

diff --git a/src/message-template.h b/src/message-template.h
index 2ffbfab19e..b6eb4de575 100644
--- a/src/message-template.h
+++ b/src/message-template.h
@@ -460,7 +460,7 @@ namespace internal {
   T(TooManyArguments,                                                          \
     "Too many arguments in function call (only 65535 allowed)")                \
   T(TooManyParameters,                                                         \
-    "Too many parameters in function definition (only 65535 allowed)")         \
+    "Too many parameters in function definition (only 65534 allowed)")         \
   T(TooManySpreads,                                                            \
     "Literal containing too many nested spreads (up to 65534 allowed)")        \
   T(TooManyVariables, "Too many variables declared (only 4194303 allowed)")    \
diff --git a/src/parsing/parser-base.h b/src/parsing/parser-base.h
index ec7e3047da..c09864e752 100644
--- a/src/parsing/parser-base.h
+++ b/src/parsing/parser-base.h
@@ -3544,7 +3544,8 @@ void ParserBase<Impl>::ParseFormalParameterList(FormalParametersT* parameters) {
 
   if (peek() != Token::RPAREN) {
     while (true) {
-      if (parameters->arity > Code::kMaxArguments) {
+      // Add one since we're going to be adding a parameter.
+      if (parameters->arity + 1 > Code::kMaxArguments) {
         ReportMessage(MessageTemplate::kTooManyParameters);
         return;
       }
diff --git a/test/mjsunit/regress/regress-crbug-902610.js b/test/mjsunit/regress/regress-crbug-902610.js
new file mode 100644
index 0000000000..11b88f288b
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-902610.js
@@ -0,0 +1,11 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+assertThrows(() => {
+  // Make a function with 65535 args. This should throw a SyntaxError because -1
+  // is reserved for the "don't adapt arguments" sentinel.
+  var f_with_65535_args =
+      eval("(function(" + Array(65535).fill("x").join(",") + "){})");
+  f_with_65535_args();
+}, SyntaxError);