summaryrefslogtreecommitdiffstats
path: root/js/src/frontend/BytecodeEmitter.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'js/src/frontend/BytecodeEmitter.cpp')
-rw-r--r--js/src/frontend/BytecodeEmitter.cpp25
1 files changed, 20 insertions, 5 deletions
diff --git a/js/src/frontend/BytecodeEmitter.cpp b/js/src/frontend/BytecodeEmitter.cpp
index af580ed..490e761 100644
--- a/js/src/frontend/BytecodeEmitter.cpp
+++ b/js/src/frontend/BytecodeEmitter.cpp
@@ -2044,10 +2044,16 @@ Maybe<NameLocation> BytecodeEmitter::locationOfNameBoundInFunctionScope(
}
bool BytecodeEmitter::emitCheck(ptrdiff_t delta, ptrdiff_t* offset) {
- *offset = code().length();
+ size_t oldLength = code().length();
+ *offset = ptrdiff_t(oldLength);
+
+ size_t newLength = oldLength + size_t(delta);
+ if (MOZ_UNLIKELY(newLength > MaxBytecodeLength)) {
+ ReportAllocationOverflow(cx);
+ return false;
+ }
if (!code().growBy(delta)) {
- ReportOutOfMemory(cx);
return false;
}
return true;
@@ -9982,12 +9988,18 @@ bool BytecodeEmitter::emitTreeInBranch(
static bool AllocSrcNote(JSContext* cx, SrcNotesVector& notes,
unsigned* index) {
+ size_t oldLength = notes.length();
+
+ if (MOZ_UNLIKELY(oldLength + 1 > MaxSrcNotesLength)) {
+ ReportAllocationOverflow(cx);
+ return false;
+ }
+
if (!notes.growBy(1)) {
- ReportOutOfMemory(cx);
return false;
}
- *index = notes.length() - 1;
+ *index = oldLength;
return true;
}
@@ -10093,10 +10105,13 @@ bool BytecodeEmitter::setSrcNoteOffset(unsigned index, unsigned which,
/* Maybe this offset was already set to a four-byte value. */
if (!(*sn & SN_4BYTE_OFFSET_FLAG)) {
/* Insert three dummy bytes that will be overwritten shortly. */
+ if (MOZ_UNLIKELY(notes.length() + 3 > MaxSrcNotesLength)) {
+ ReportAllocationOverflow(cx);
+ return false;
+ }
jssrcnote dummy = 0;
if (!(sn = notes.insert(sn, dummy)) || !(sn = notes.insert(sn, dummy)) ||
!(sn = notes.insert(sn, dummy))) {
- ReportOutOfMemory(cx);
return false;
}
}