[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.1.15-1-40151-g37bb677

sullivan sullivan at 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Sat Sep 26 08:51:32 UTC 2009 

The following commit has been merged in the debian/unstable branch:
commit 0d378690a0a923cea911a5dfd074689bfc90545d
Author: sullivan <sullivan at 268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Jul 19 23:43:54 2004 +0000

            Reviewed by Maciej.
    
            - bulletproofed array.slice() against NAN arguments. Harri noticed this
            vulnerability in my patch for 3714644
    
            * kjs/array_object.cpp:
            (ArrayProtoFuncImp::call):
            handle NAN parameters passed to slice() by clamping to 0 and length.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@7059 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 59766c3..bfc5ab6 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2004-07-19  John Sullivan  <sullivan at apple.com>
+
+        Reviewed by Maciej.
+        
+        - bulletproofed array.slice() against NAN arguments. Harri noticed this
+        vulnerability in my patch for 3714644
+
+        * kjs/array_object.cpp:
+        (ArrayProtoFuncImp::call):
+        handle NAN parameters passed to slice() by clamping to 0 and length.
+
 2004-07-19  Richard Williamson   <rjw at apple.com>
 
 	Fixed 3733349.  Prevent Java applet callbacks into JavaScript after applet
diff --git a/JavaScriptCore/kjs/array_object.cpp b/JavaScriptCore/kjs/array_object.cpp
index a684427..4219d31 100644
--- a/JavaScriptCore/kjs/array_object.cpp
+++ b/JavaScriptCore/kjs/array_object.cpp
@@ -583,6 +583,9 @@ Value ArrayProtoFuncImp::call(ExecState *exec, Object &thisObj, const List &args
     double begin = 0;
     if (args[0].type() != UndefinedType) {
         begin = args[0].toInteger(exec);
+        if (isnan(begin)) {
+            begin = 0;
+        }
         if (begin < 0) {
             begin += length;
             if (begin < 0)
@@ -595,7 +598,9 @@ Value ArrayProtoFuncImp::call(ExecState *exec, Object &thisObj, const List &args
     double end = length;
     if (args[1].type() != UndefinedType) {
       end = args[1].toInteger(exec);
-      if (end < 0) {
+      if (isnan(end)) {
+        end = length;
+      } else if (end < 0) {
         end += length;
         if (end < 0)
           end = 0;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list