[builtins] Throw when setting typed arrays from large sources

When setting a typed array from an array like object, the 
length of the source can only be converted to a unit32 if 
it is not too large. 

Bug: v8:6704, chromium:761654
Change-Id: I8f89aa348093d8bd4d54aa16d6b5f255d3cb7adc
Reviewed-on: https://chromium-review.googlesource.com/648976
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47798}

src/builtins/builtins-typedarray.cc

@@ -554,15 +554,15 @@ BUILTIN(TypedArrayPrototypeSet) {
       ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, len,
                                          Object::ToLength(isolate, len));
 
-      uint32_t int_l;
-      CHECK(len->ToUint32(&int_l));
       DCHECK_GE(int_offset, 0);
-      if (static_cast<uint32_t>(int_offset) + int_l >
+      if (int_offset + len->Number() >
           Handle<JSTypedArray>::cast(target)->length_value()) {
         THROW_NEW_ERROR_RETURN_FAILURE(
             isolate,
             NewRangeError(MessageTemplate::kTypedArraySetSourceTooLarge));
       }
+      uint32_t int_l;
+      CHECK(DoubleToUint32IfEqualToSelf(len->Number(), &int_l));
       RETURN_FAILURE_ON_EXCEPTION(
           isolate, TypedArraySetFromArrayLike(
                        isolate, Handle<JSTypedArray>::cast(target), obj, int_l,

test/mjsunit/es6/typedarray.js

@@ -885,3 +885,12 @@ for(i = 0; i < typedArrayConstructors.length; i++) {
                  e.message);
   }
 })();
+
+// Regression test 761654
+assertThrows(function LargeSourceArray() {
+  let v0 = {};
+  v0.length =  2 ** 32; // too large for uint32
+  let a = new Int8Array();
+
+  a.set(v0);
+});