Title: [254600] branches/safari-609-branch/Source/_javascript_Core
- Revision
- 254600
- Author
- alanc...@apple.com
- Date
- 2020-01-15 11:15:15 -0800 (Wed, 15 Jan 2020)
Log Message
Cherry-pick r254218. rdar://problem/58553153
JSArrayBufferView.h: Multiplication result converted to larger type
https://bugs.webkit.org/show_bug.cgi?id=205943
Reviewed by Saam Barati.
Added cast to size_t to make the whole calculation size_t.
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::sizeOf):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254218 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609-branch/Source/_javascript_Core/ChangeLog (254599 => 254600)
--- branches/safari-609-branch/Source/_javascript_Core/ChangeLog 2020-01-15 19:15:13 UTC (rev 254599)
+++ branches/safari-609-branch/Source/_javascript_Core/ChangeLog 2020-01-15 19:15:15 UTC (rev 254600)
@@ -1,5 +1,34 @@
2020-01-14 Alan Coon <alanc...@apple.com>
+ Cherry-pick r254218. rdar://problem/58553153
+
+ JSArrayBufferView.h: Multiplication result converted to larger type
+ https://bugs.webkit.org/show_bug.cgi?id=205943
+
+ Reviewed by Saam Barati.
+
+ Added cast to size_t to make the whole calculation size_t.
+
+ * runtime/JSArrayBufferView.h:
+ (JSC::JSArrayBufferView::sizeOf):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254218 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-01-08 Michael Saboff <msab...@apple.com>
+
+ JSArrayBufferView.h: Multiplication result converted to larger type
+ https://bugs.webkit.org/show_bug.cgi?id=205943
+
+ Reviewed by Saam Barati.
+
+ Added cast to size_t to make the whole calculation size_t.
+
+ * runtime/JSArrayBufferView.h:
+ (JSC::JSArrayBufferView::sizeOf):
+
+2020-01-14 Alan Coon <alanc...@apple.com>
+
Cherry-pick r254188. rdar://problem/58553146
AI rule for ValueMod/ValueDiv produce constants with the wrong format when the result can be an int32
Modified: branches/safari-609-branch/Source/_javascript_Core/runtime/JSArrayBufferView.h (254599 => 254600)
--- branches/safari-609-branch/Source/_javascript_Core/runtime/JSArrayBufferView.h 2020-01-15 19:15:13 UTC (rev 254599)
+++ branches/safari-609-branch/Source/_javascript_Core/runtime/JSArrayBufferView.h 2020-01-15 19:15:15 UTC (rev 254600)
@@ -108,7 +108,7 @@
static size_t sizeOf(uint32_t length, uint32_t elementSize)
{
- return (length * elementSize + sizeof(EncodedJSValue) - 1)
+ return (static_cast<size_t>(length) * elementSize + sizeof(EncodedJSValue) - 1)
& ~(sizeof(EncodedJSValue) - 1);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes