Check arguments length in ICCallStubCompiler::guardFunApply.

author: Pale Moon <git-repo@palemoon.org> 2017-02-01 14:52:22 +0100
committer: Pale Moon <git-repo@palemoon.org> 2017-02-01 14:52:22 +0100
commit: de0eb65ea98172bc648405efc801710668950be3 (patch)
tree: 69e94e14f47a6cb0b810f2a850f9bf5d03779c7c /js
parent: 608b9b8fee8f2fcff77e8abe3f149f201fb3df90 (diff)
download: palemoon-gre-de0eb65ea98172bc648405efc801710668950be3.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp
index 1695bfc8a..280cea386 100644
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -9774,6 +9774,12 @@ ICCallStubCompiler::guardFunApply(MacroAssembler& masm, GeneralRegisterSet regs,
                           Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfFlags()),
                           Imm32(BaselineFrame::HAS_ARGS_OBJ),
                           failure);
+
+        // Limit the length to something reasonable.
+        masm.branch32(Assembler::Above,
+                      Address(BaselineFrameReg, BaselineFrame::offsetOfNumActualArgs()),
+                      Imm32(ICCall_ScriptedApplyArray::MAX_ARGS_ARRAY_LENGTH),
+                      failure);
     } else {
         MOZ_ASSERT(applyThing == FunApply_Array);
author	Pale Moon <git-repo@palemoon.org>	2017-02-01 14:52:22 +0100
committer	Pale Moon <git-repo@palemoon.org>	2017-02-01 14:52:22 +0100
commit	de0eb65ea98172bc648405efc801710668950be3 (patch)
tree	69e94e14f47a6cb0b810f2a850f9bf5d03779c7c /js
parent	608b9b8fee8f2fcff77e8abe3f149f201fb3df90 (diff)
download	palemoon-gre-de0eb65ea98172bc648405efc801710668950be3.tar.gz