diff options
| author | Rubin Xu <rubinxu@google.com> | 2020-05-18 14:45:11 +0100 |
|---|---|---|
| committer | Rubin Xu <rubinxu@google.com> | 2020-05-18 13:48:08 +0000 |
| commit | 0809cf96aa0a547150173bd0cb06452dce878d61 (patch) | |
| tree | 46d75021e9cb0c5e1b54b886d1045a6cb94c95a2 | |
| parent | a75015f086156bb13d22afe0fb0d3098ec2fd6b6 (diff) | |
| download | v8-0809cf96aa0a547150173bd0cb06452dce878d61.tar.gz | |
Fix integer overflow in NewFixedDoubleArray
Bug: 150706594
Test: atest proxy_resolver_v8_unittest
Change-Id: I23ccda06bdb2dba631236828e5d6eeaf88717812
| -rw-r--r-- | src/heap/factory.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/heap/factory.cc b/src/heap/factory.cc index c8528f9f..2ac0d990 100644 --- a/src/heap/factory.cc +++ b/src/heap/factory.cc @@ -469,7 +469,7 @@ Handle<FixedArrayBase> Factory::NewFixedDoubleArray(int length, PretenureFlag pretenure) { DCHECK_LE(0, length); if (length == 0) return empty_fixed_array(); - if (length > FixedDoubleArray::kMaxLength) { + if (length < 0 || length > FixedDoubleArray::kMaxLength) { isolate()->heap()->FatalProcessOutOfMemory("invalid array length"); } int size = FixedDoubleArray::SizeFor(length); |