From 0809cf96aa0a547150173bd0cb06452dce878d61 Mon Sep 17 00:00:00 2001
From: Rubin Xu <rubinxu@google.com>
Date: Mon, 18 May 2020 14:45:11 +0100
Subject: Fix integer overflow in NewFixedDoubleArray

Bug: 150706594
Test: atest proxy_resolver_v8_unittest
Change-Id: I23ccda06bdb2dba631236828e5d6eeaf88717812
---
 src/heap/factory.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/heap/factory.cc b/src/heap/factory.cc
index c8528f9f..2ac0d990 100644
--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@@ -469,7 +469,7 @@ Handle<FixedArrayBase> Factory::NewFixedDoubleArray(int length,
                                                     PretenureFlag pretenure) {
   DCHECK_LE(0, length);
   if (length == 0) return empty_fixed_array();
-  if (length > FixedDoubleArray::kMaxLength) {
+  if (length < 0 || length > FixedDoubleArray::kMaxLength) {
     isolate()->heap()->FatalProcessOutOfMemory("invalid array length");
   }
   int size = FixedDoubleArray::SizeFor(length);
-- 
cgit v1.2.3