[Webkit-unassigned] [Bug 62405] New: Fix integer overflow in Array.prototype.push
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 9 14:21:06 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=62405
Summary: Fix integer overflow in Array.prototype.push
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: barraclough at apple.com
There are three integer overflows here, leading to safe (not a security risk) but incorrect (non-spec-compliant) behaviour.
Two overflows occur when calculating the new length after pushing (one in the fast version of push in JSArray, one in the generic version in ArrayPrototype).
The other occurs calculating indices to write to when multiple items are pushed.
These errors result in three test-262 failures.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list