Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-26 19:55:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1411294 - Fix OOM bug in CloneBuffer testing function. r=jonco

Browse Source
This commit is contained in:
Jan de Mooij 2017-11-06 13:44:25 +01:00
parent 170b25f0d8
commit c4a3b069df
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
js/src/builtin/TestingFunctions.cpp
View File

@ -2776,8 +2776,11 @@ class CloneBufferObject : public NativeObject {
}
auto buf = js::MakeUnique<JSStructuredCloneData>(0, 0, nbytes);
if (!buf->Init(nbytes, nbytes))
if (!buf || !buf->Init(nbytes, nbytes)) {
ReportOutOfMemory(cx);
return false;
}
js_memcpy(buf->Start(), data, nbytes);
obj->discard();
obj->setData(buf.release(), true);

13
js/src/jit-test/tests/basic/bug1411294.js Normal file
View File

@ -0,0 +1,13 @@
if (!('oomTest' in this))
quit();
oomTest(function() {
eval(`var clonebuffer = serialize("abc");
clonebuffer.clonebuffer = "\
\\x00\\x00\\x00\\x00\\b\\x00\\xFF\\xFF\\f\
\\x00\\x00\\x00\\x03\\x00\\xFF\\xFF\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xF0?\\x00\\x00\\x00\\\x00\\x00\
\\x00\\xFF\\xFF"
var obj = deserialize(clonebuffer)
assertEq(new ({ get }).keys(obj).toString(), "12,ab");
`);
});