1 files changed, 3 insertions, 0 deletions

diff --git a/src/3rdparty/webkit/JavaScriptCore/runtime/Collector.cpp b/src/3rdparty/webkit/JavaScriptCore/runtime/Collector.cpp
index 69cb05e17..7d3e27f21 100644
--- a/src/3rdparty/webkit/JavaScriptCore/runtime/Collector.cpp
+++ b/src/3rdparty/webkit/JavaScriptCore/runtime/Collector.cpp
@@ -365,6 +365,9 @@ collect:
         // didn't find a block, and GC didn't reclaim anything, need to allocate a new block
         size_t numBlocks = heap.numBlocks;
         if (usedBlocks == numBlocks) {
+            static const size_t maxNumBlocks = ULONG_MAX / sizeof(CollectorBlock*) / GROWTH_FACTOR;
+            if (numBlocks > maxNumBlocks)
+                CRASH();
             numBlocks = max(MIN_ARRAY_SIZE, numBlocks * GROWTH_FACTOR);
             heap.numBlocks = numBlocks;
             heap.blocks = static_cast<CollectorBlock**>(fastRealloc(heap.blocks, numBlocks * sizeof(CollectorBlock*)));