Skip to site navigation (Press enter)

[webkit-changes] [254600] branches/safari-609-branch/Source/JavaScriptCore

alancoon Wed, 15 Jan 2020 11:16:41 -0800

Title: [254600] branches/safari-609-branch/Source/_javascript_Core

Revision: 254600
Author: alanc...@apple.com
Date: 2020-01-15 11:15:15 -0800 (Wed, 15 Jan 2020)

Log Message

Cherry-pick r254218. rdar://problem/58553153


    JSArrayBufferView.h: Multiplication result converted to larger type
    https://bugs.webkit.org/show_bug.cgi?id=205943

    Reviewed by Saam Barati.

    Added cast to size_t to make the whole calculation size_t.

    * runtime/JSArrayBufferView.h:
    (JSC::JSArrayBufferView::sizeOf):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254218 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

branches/safari-609-branch/Source/_javascript_Core/ChangeLog
branches/safari-609-branch/Source/_javascript_Core/runtime/JSArrayBufferView.h

Diff

Modified: branches/safari-609-branch/Source/_javascript_Core/ChangeLog (254599 => 254600)


--- branches/safari-609-branch/Source/_javascript_Core/ChangeLog	2020-01-15 19:15:13 UTC (rev 254599)
+++ branches/safari-609-branch/Source/_javascript_Core/ChangeLog	2020-01-15 19:15:15 UTC (rev 254600)
@@ -1,5 +1,34 @@
 2020-01-14  Alan Coon  <alanc...@apple.com>
 
+        Cherry-pick r254218. rdar://problem/58553153
+
+    JSArrayBufferView.h: Multiplication result converted to larger type
+    https://bugs.webkit.org/show_bug.cgi?id=205943
+    
+    Reviewed by Saam Barati.
+    
+    Added cast to size_t to make the whole calculation size_t.
+    
+    * runtime/JSArrayBufferView.h:
+    (JSC::JSArrayBufferView::sizeOf):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254218 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-01-08  Michael Saboff  <msab...@apple.com>
+
+            JSArrayBufferView.h: Multiplication result converted to larger type
+            https://bugs.webkit.org/show_bug.cgi?id=205943
+
+            Reviewed by Saam Barati.
+
+            Added cast to size_t to make the whole calculation size_t.
+
+            * runtime/JSArrayBufferView.h:
+            (JSC::JSArrayBufferView::sizeOf):
+
+2020-01-14  Alan Coon  <alanc...@apple.com>
+
         Cherry-pick r254188. rdar://problem/58553146
 
     AI rule for ValueMod/ValueDiv produce constants with the wrong format when the result can be an int32

Modified: branches/safari-609-branch/Source/_javascript_Core/runtime/JSArrayBufferView.h (254599 => 254600)


--- branches/safari-609-branch/Source/_javascript_Core/runtime/JSArrayBufferView.h	2020-01-15 19:15:13 UTC (rev 254599)
+++ branches/safari-609-branch/Source/_javascript_Core/runtime/JSArrayBufferView.h	2020-01-15 19:15:15 UTC (rev 254600)
@@ -108,7 +108,7 @@
     
     static size_t sizeOf(uint32_t length, uint32_t elementSize)
     {
-        return (length * elementSize + sizeof(EncodedJSValue) - 1)
+        return (static_cast<size_t>(length) * elementSize + sizeof(EncodedJSValue) - 1)
             & ~(sizeof(EncodedJSValue) - 1);
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes