v8/regress-852258.js at 312dbdd5db5ae0a7ff88aae557d4556e524bf411 - v8 - Gitea: Git with a cup of tea

AuroraMiddleware/v8

Peter Marshall d69df91c27 [typedarray] Fix incorrect access to typed array byte offset.

Byte offset can be outside of Smi range and must be loaded as a Number
rather than a Smi.

Bug: chromium:852258
Change-Id: Ida6e07ba68a050d4f5a9f28500986cc67c619b4c
Reviewed-on: https://chromium-review.googlesource.com/1100886
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53748}

2018-06-15 08:26:41 +00:00

12 lines

328 B

JavaScript

Raw Blame History

 // Copyright 2018 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 try {
   let ta0 = new Int16Array(0x24924925);
   let ta2 = ta0.slice(1);
   let ta1 = ta0.slice(0x24924924);
 } catch (e) {
   // Allocation failed, that's fine.
 }