diff options
| -rw-r--r-- | src/qml/jsruntime/qv4arraybuffer.cpp | 7 | ||||
| -rw-r--r-- | src/qml/jsruntime/qv4typedarray.cpp | 19 |
2 files changed, 15 insertions, 11 deletions
diff --git a/src/qml/jsruntime/qv4arraybuffer.cpp b/src/qml/jsruntime/qv4arraybuffer.cpp index b8f6f61820..582369dcf3 100644 --- a/src/qml/jsruntime/qv4arraybuffer.cpp +++ b/src/qml/jsruntime/qv4arraybuffer.cpp @@ -30,13 +30,14 @@ ReturnedValue SharedArrayBufferCtor::virtualCallAsConstructor(const FunctionObje if (newTarget->isUndefined()) return scope.engine->throwTypeError(); - qint64 len = argc ? argv[0].toIndex() : 0; + const double len = argc ? argv[0].toInteger() : 0; if (scope.hasException()) return Encode::undefined(); - if (len < 0 || len >= INT_MAX) + if (len < 0 || len >= std::numeric_limits<int>::max()) return scope.engine->throwRangeError(QStringLiteral("SharedArrayBuffer: Invalid length.")); - Scoped<SharedArrayBuffer> a(scope, scope.engine->memoryManager->allocate<SharedArrayBuffer>(len)); + Scoped<SharedArrayBuffer> a( + scope, scope.engine->memoryManager->allocate<SharedArrayBuffer>(size_t(len))); if (scope.hasException()) return Encode::undefined(); diff --git a/src/qml/jsruntime/qv4typedarray.cpp b/src/qml/jsruntime/qv4typedarray.cpp index af6423dc9c..4961a63e8b 100644 --- a/src/qml/jsruntime/qv4typedarray.cpp +++ b/src/qml/jsruntime/qv4typedarray.cpp @@ -260,17 +260,20 @@ ReturnedValue TypedArrayCtor::virtualCallAsConstructor(const FunctionObject *f, if (!argc || !argv[0].isObject()) { // ECMA 6 22.2.1.1 - qint64 l = argc ? argv[0].toIndex() : 0; + const double l = argc ? argv[0].toInteger() : 0; if (scope.hasException()) return Encode::undefined(); - // ### lift UINT_MAX restriction - if (l < 0 || l > UINT_MAX) + if (l < 0 || l > std::numeric_limits<int>::max()) return scope.engine->throwRangeError(QLatin1String("Index out of range.")); - uint len = (uint)l; - if (l != len) - scope.engine->throwRangeError(QStringLiteral("Non integer length for typed array.")); - uint byteLength = len * operations[that->d()->type].bytesPerElement; - Scoped<ArrayBuffer> buffer(scope, scope.engine->newArrayBuffer(byteLength)); + + const double byteLength = l * operations[that->d()->type].bytesPerElement; + + // TODO: This is an artificial restriction due to the fact that we store the byteLength in + // uint below. We should allow up to INT_MAX elements of any size. + if (byteLength > std::numeric_limits<uint>::max()) + return scope.engine->throwRangeError(QLatin1String("Index out of range.")); + + Scoped<ArrayBuffer> buffer(scope, scope.engine->newArrayBuffer(size_t(byteLength))); if (scope.hasException()) return Encode::undefined(); |