Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-26 14:22:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

khanson's patch with a comment elaboration for bug 157652 (r=rogerl, sr=me, a=rjesup).

Browse Source
This commit is contained in:
brendan%mozilla.org 2002-07-31 21:42:12 +00:00
parent 7dafb891cc
commit 4cbe5aceda
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
js/src/jsarray.c
View File

@ -797,6 +797,7 @@ array_sort(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
jsuint len, newlen, i;
jsval *vec;
jsid id;
size_t nbytes;
/*
* Optimize the default compare function case if all of obj's elements
@ -821,7 +822,17 @@ array_sort(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
return JS_FALSE;
if (len == 0)
return JS_TRUE;
vec = (jsval *) JS_malloc(cx, (size_t) len * sizeof(jsval));
/*
* Test for size_t overflow, which could lead to indexing beyond the end
* of the malloc'd vector.
*/
nbytes = len * sizeof(jsval);
if (nbytes != (double) len * sizeof(jsval)) {
JS_ReportOutOfMemory(cx);
return JS_FALSE;
}
vec = (jsval *) JS_malloc(cx, nbytes);
if (!vec)
return JS_FALSE;