mirror of
https://github.com/jerryscript-project/jerryscript.git
synced 2025-12-15 16:29:21 +00:00
4912e3b739
In the Array.slice method when the engine uses fast arrays the "end" value was not updated if the input array's length changed. This can occur when the start/end index normalization executes a method and the length is changed forcefully. This leads to a buffer-overflow as the element copy reads too much data from the input array. JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
32 lines
1.0 KiB
JavaScript
32 lines
1.0 KiB
JavaScript
// Copyright JS Foundation and other contributors, http://js.foundation
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
|
|
var fast_array = [];
|
|
for (var i = 0; i < 1000; i++) {
|
|
fast_array.push(i);
|
|
}
|
|
|
|
var result_array = fast_array.slice(0, {valueOf: function() { fast_array.length = '3'; return 1000; }});
|
|
|
|
assert(result_array.length === 1000);
|
|
|
|
assert(result_array[0] === 0);
|
|
assert(result_array[1] === 1);
|
|
assert(result_array[2] === 2);
|
|
|
|
for (var i = 3; i < 1000; i++) {
|
|
assert(typeof(result_array[i]) === "undefined");
|
|
}
|