From 7778028f993cd64fc8f1cf4800a5341c395f88c3 Mon Sep 17 00:00:00 2001 From: Ulf Hermann Date: Thu, 1 Sep 2022 17:18:12 +0200 Subject: V4: Adjust some more index calculations No, we cannot collapse -inf to 0 before checking for negative nubers. Task-number: QTBUG-100242 Change-Id: I764c1168add2b321f3af6a7f5194647d0806c159 Reviewed-by: Fabian Kosmale --- src/qml/jsruntime/qv4typedarray.cpp | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'src/qml/jsruntime/qv4typedarray.cpp') diff --git a/src/qml/jsruntime/qv4typedarray.cpp b/src/qml/jsruntime/qv4typedarray.cpp index af6423dc9c..4961a63e8b 100644 --- a/src/qml/jsruntime/qv4typedarray.cpp +++ b/src/qml/jsruntime/qv4typedarray.cpp @@ -260,17 +260,20 @@ ReturnedValue TypedArrayCtor::virtualCallAsConstructor(const FunctionObject *f, if (!argc || !argv[0].isObject()) { // ECMA 6 22.2.1.1 - qint64 l = argc ? argv[0].toIndex() : 0; + const double l = argc ? argv[0].toInteger() : 0; if (scope.hasException()) return Encode::undefined(); - // ### lift UINT_MAX restriction - if (l < 0 || l > UINT_MAX) + if (l < 0 || l > std::numeric_limits::max()) return scope.engine->throwRangeError(QLatin1String("Index out of range.")); - uint len = (uint)l; - if (l != len) - scope.engine->throwRangeError(QStringLiteral("Non integer length for typed array.")); - uint byteLength = len * operations[that->d()->type].bytesPerElement; - Scoped buffer(scope, scope.engine->newArrayBuffer(byteLength)); + + const double byteLength = l * operations[that->d()->type].bytesPerElement; + + // TODO: This is an artificial restriction due to the fact that we store the byteLength in + // uint below. We should allow up to INT_MAX elements of any size. + if (byteLength > std::numeric_limits::max()) + return scope.engine->throwRangeError(QLatin1String("Index out of range.")); + + Scoped buffer(scope, scope.engine->newArrayBuffer(size_t(byteLength))); if (scope.hasException()) return Encode::undefined(); -- cgit v1.2.3