Bug 1275183 - "Hang if Intl.getCanonicalLocales gets an Array-like-object with negative length". r=waldo

--HG--
extra : rebase_source : 2b775e5f7218a63401f51bfd6b4bfc6a7042f791
This commit is contained in:
Zibi Braniecki 2016-06-03 12:03:00 +02:00
parent 728a8aaccd
commit bc7c0ef5e4
2 changed files with 7 additions and 1 deletions

View File

@ -661,7 +661,7 @@ function CanonicalizeLocaleList(locales) {
if (typeof locales === "string")
locales = [locales];
var O = ToObject(locales);
var len = TO_UINT32(O.length);
var len = ToLength(O.length);
var k = 0;
while (k < len) {
// Don't call ToString(k) - SpiderMonkey is faster with integers.

View File

@ -10,5 +10,11 @@ var locs = { get length() { if (count++ > 0) throw 42; return 0; } };
var locales = Intl.getCanonicalLocales(locs); // shouldn't throw 42
assertEq(locales.length, 0);
var obj = { get 0() { throw new Error("must not be gotten!"); },
length: -Math.pow(2, 32) + 1 };
assertEq(Intl.getCanonicalLocales(obj).length, 0);
if (typeof reportCompare === 'function')
reportCompare(0, 0);