Fix unchecked size number conversion in ArrayBuffer (#1479)

Free_value after ecma_op_to_number and a related test file.

JerryScript-DCO-1.0-Signed-off-by: Zidong Jiang zidong.jiang@intel.com

jerry-core/ecma/operations/ecma-arraybuffer-object.c

@@ -14,7 +14,7 @@
  */
 
 #include "ecma-arraybuffer-object.h"
-#include "ecma-conversion.h"
+#include "ecma-try-catch-macro.h"
 #include "ecma-objects.h"
 #include "ecma-builtins.h"
 #include "ecma-exceptions.h"
@@ -50,12 +50,22 @@ ecma_op_create_arraybuffer_object (const ecma_value_t *arguments_list_p, /**< li
 
   if (arguments_list_len > 0)
   {
-    ecma_number_t num = ecma_get_number_from_value (ecma_op_to_number (arguments_list_p[0]));
+    ecma_value_t ret = ecma_make_simple_value (ECMA_SIMPLE_VALUE_EMPTY);
+
+    ECMA_OP_TO_NUMBER_TRY_CATCH (num, arguments_list_p[0], ret);
     length = ecma_number_to_uint32 (num);
+
     if (num != ((ecma_number_t) length))
     {
       return ecma_raise_range_error (ECMA_ERR_MSG ("Invalid ArrayBuffer length."));
     }
+
+    ECMA_OP_TO_NUMBER_FINALIZE (num);
+
+    if (!ecma_is_value_empty (ret))
+    {
+      return ret;
+    }
   }
 
   ecma_object_t *object_p = ecma_arraybuffer_new_object (length);

tests/jerry-test-suite/es2015/24/24.01/24.01.02/24.01.02-006.js

@@ -0,0 +1,27 @@
+/* Copyright JS Foundation and other contributors, http://js.foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+var name = "";
+
+try
+{
+  var a = new ArrayBuffer(5.5);
+}
+catch (e)
+{
+  name = e.name;
+}
+
+assert(name === "RangeError");

tests/jerry-test-suite/es2015/24/24.01/24.01.02/24.01.02-007.js

@@ -0,0 +1,27 @@
+/* Copyright JS Foundation and other contributors, http://js.foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+var name = "";
+
+try
+{
+  var a = new ArrayBuffer("string");
+}
+catch (e)
+{
+  name = e.name;
+}
+
+assert(name === "RangeError");

tests/jerry-test-suite/es2015/24/24.01/24.01.02/24.01.02-008.js

@@ -0,0 +1,27 @@
+/* Copyright JS Foundation and other contributors, http://js.foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+var name = "";
+var obj = {};
+try
+{
+  var a = new ArrayBuffer(obj);
+}
+catch (e)
+{
+  name = e.name;
+}
+
+assert(name === "RangeError");