From 8aeb2a055ec58596556d69e499375a2cf73ec84d Mon Sep 17 00:00:00 2001
From: Roland Takacs <rtakacs.u-szeged@partner.samsung.com>
Date: Wed, 15 Jul 2015 12:12:35 +0200
Subject: [PATCH] Fix underflow in JSON.stringify()

JerryScript-DCO-1.0-Signed-off-by: Roland Takacs rtakacs.u-szeged@partner.samsung.com
---
 jerry-core/ecma/builtin-objects/ecma-builtin-json.cpp | 8 ++++----
 tests/jerry/json-stringify.js                         | 2 ++
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/jerry-core/ecma/builtin-objects/ecma-builtin-json.cpp b/jerry-core/ecma/builtin-objects/ecma-builtin-json.cpp
index 3fe966e5e..07a9c38f0 100644
--- a/jerry-core/ecma/builtin-objects/ecma-builtin-json.cpp
+++ b/jerry-core/ecma/builtin-objects/ecma-builtin-json.cpp
@@ -1002,8 +1002,8 @@ ecma_builtin_json_stringify (ecma_value_t this_arg __attr_unused___, /**< 'this'
                                  ret_value);
 
     /* 6.a */
-    uint32_t num_of_spaces = ecma_number_to_uint32 (array_length_num);
-    uint32_t space = (num_of_spaces > 10) ? 10 : num_of_spaces;
+    int32_t num_of_spaces = ecma_number_to_int32 (array_length_num);
+    int32_t space = (num_of_spaces > 10) ? 10 : num_of_spaces;
 
     /* 6.b */
     if (space < 1)
@@ -1014,12 +1014,12 @@ ecma_builtin_json_stringify (ecma_value_t this_arg __attr_unused___, /**< 'this'
     {
       MEM_DEFINE_LOCAL_ARRAY (space_buff, space, char);
 
-      for (uint32_t i = 0; i < space; i++)
+      for (int32_t i = 0; i < space; i++)
       {
         space_buff[i] = ' ';
       }
 
-      context_p.gap_str_p = ecma_new_ecma_string_from_utf8 ((lit_utf8_byte_t *) space_buff, space);
+      context_p.gap_str_p = ecma_new_ecma_string_from_utf8 ((lit_utf8_byte_t *) space_buff, (lit_utf8_size_t) space);
 
       MEM_FINALIZE_LOCAL_ARRAY (space_buff);
     }
diff --git a/tests/jerry/json-stringify.js b/tests/jerry/json-stringify.js
index 6902476ee..c31f98f47 100644
--- a/tests/jerry/json-stringify.js
+++ b/tests/jerry/json-stringify.js
@@ -163,12 +163,14 @@ assert (JSON.stringify (object, null, "   ") == '{\n   "a": 2\n}');
 assert (JSON.stringify (object, null, "asd") == '{\nasd"a": 2\n}');
 assert (JSON.stringify (object, null, "asd0123456789") == '{\nasd0123456"a": 2\n}');
 assert (JSON.stringify (object, null, 100) == '{\n          "a": 2\n}');
+assert (JSON.stringify (object, null, -5) == '{"a":2}');
 
 array = [2];
 assert (JSON.stringify (array, null, "   ") == '[\n   2\n]');
 assert (JSON.stringify (array, null, "asd") == '[\nasd2\n]');
 assert (JSON.stringify (array, null, "asd0123456789") == '[\nasd01234562\n]');
 assert (JSON.stringify (array, null, 100) == '[\n          2\n]');
+assert (JSON.stringify (array, null, -5) == '[2]');
 
 nested_object = {"a": 2, "b": {"c": 1, "d": true}};
 assert (JSON.stringify (nested_object, null, 2) == '{\n  "b": {\n    "d": true,\n    "c": 1\n  },\n  "a": 2\n}');