From 0b9059ed1f3fd1ff714489f8ec8d0bd41d919275 Mon Sep 17 00:00:00 2001 From: Daniel Balla Date: Fri, 13 Sep 2019 15:37:11 +0200 Subject: [PATCH] Fix string size calculation in builtin string repeat Fixes #3105 JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu --- .../ecma-builtin-string-prototype.c | 26 +++++++++---------- .../es2015/regression-test-issue-3105.js | 16 ++++++++++++ 2 files changed, 29 insertions(+), 13 deletions(-) create mode 100644 tests/jerry/es2015/regression-test-issue-3105.js diff --git a/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c b/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c index b3cc7583d7..f227662dbc 100644 --- a/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c +++ b/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c @@ -1883,49 +1883,49 @@ ecma_builtin_string_prototype_object_trim (ecma_string_t *original_string_p) /** */ static ecma_value_t ecma_builtin_string_prototype_object_repeat (ecma_string_t *original_string_p, /**< this argument */ - ecma_value_t count) /**< times to repeat */ + ecma_value_t repeat) /**< times to repeat */ { ecma_string_t *ret_string_p; /* 4 */ - ecma_number_t length_number; - ecma_value_t length_value = ecma_get_number (count, &length_number); + ecma_number_t count_number; + ecma_value_t count_value = ecma_get_number (repeat, &count_number); /* 5 */ - if (ECMA_IS_VALUE_ERROR (length_value)) + if (ECMA_IS_VALUE_ERROR (count_value)) { - return length_value; + return count_value; } - int32_t length = ecma_number_to_int32 (length_number); + int32_t repeat_count = ecma_number_to_int32 (count_number); - bool isNan = ecma_number_is_nan (length_number); + bool isNan = ecma_number_is_nan (count_number); /* 6, 7 */ - if (length_number < 0 || (!isNan && ecma_number_is_infinity (length_number))) + if (count_number < 0 || (!isNan && ecma_number_is_infinity (count_number))) { return ecma_raise_range_error (ECMA_ERR_MSG ("Invalid count value")); } - lit_utf8_size_t size = ecma_string_get_utf8_size (original_string_p); + lit_utf8_size_t size = ecma_string_get_size (original_string_p); - if (length == 0 || size == 0 || isNan) + if (repeat_count == 0 || size == 0 || isNan) { return ecma_make_magic_string_value (LIT_MAGIC_STRING__EMPTY); } - if ((uint32_t) length >= (ECMA_STRING_SIZE_LIMIT / size)) + if ((uint32_t) repeat_count >= (ECMA_STRING_SIZE_LIMIT / size)) { return ecma_raise_range_error (ECMA_ERR_MSG ("Invalid string length")); } - lit_utf8_size_t total_size = size * (lit_utf8_size_t) length; + lit_utf8_size_t total_size = size * (lit_utf8_size_t) repeat_count; JMEM_DEFINE_LOCAL_ARRAY (str_buffer, total_size, lit_utf8_byte_t); lit_utf8_byte_t *buffer_ptr = str_buffer; - for (int32_t n = 0; n < length; n++) + for (int32_t n = 0; n < repeat_count; n++) { buffer_ptr += ecma_string_copy_to_cesu8_buffer (original_string_p, buffer_ptr, (lit_utf8_size_t) (size)); diff --git a/tests/jerry/es2015/regression-test-issue-3105.js b/tests/jerry/es2015/regression-test-issue-3105.js new file mode 100644 index 0000000000..a711bff89c --- /dev/null +++ b/tests/jerry/es2015/regression-test-issue-3105.js @@ -0,0 +1,16 @@ +// Copyright JS Foundation and other contributors, http://js.foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +var str = String.fromCharCode([-10] + "123", Date.UTC(15, 13, 15)); +str.repeat(11);