jsc command line tool's support for typed arrays should be robust against array buffer allocation errors

https://bugs.webkit.org/show_bug.cgi?id=104020
<rdar://problem/12802478>

Reviewed by Mark Hahnenberg.

Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it,
and that is indeed the contract of ArrayBuffer and TypedArrayBase.

* JSCTypedArrayStubs.h:
(JSC):

Change-Id: If57957cd1a5397aeae59a3b9347db9de2f8a56fc
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136536 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

1 files changed, 4 insertions, 1 deletions

diff --git a/Source/JavaScriptCore/JSCTypedArrayStubs.h b/Source/JavaScriptCore/JSCTypedArrayStubs.h
index 2e273f66f..91481fab0 100644
--- a/Source/JavaScriptCore/JSCTypedArrayStubs.h
+++ b/Source/JavaScriptCore/JSCTypedArrayStubs.h
@@ -184,7 +184,10 @@ static EncodedJSValue JSC_HOST_CALL constructJS##name##Array(ExecState* callFram
     if (length < 0) \
         return JSValue::encode(jsUndefined()); \
     Structure* structure = JS##name##Array::createStructure(callFrame->globalData(), callFrame->lexicalGlobalObject(), callFrame->lexicalGlobalObject()->objectPrototype()); \
-    return JSValue::encode(JS##name##Array::create(structure, callFrame->lexicalGlobalObject(), name##Array::create(length)));\
+    RefPtr<name##Array> buffer = name##Array::create(length); \
+    if (!buffer) \
+        return throwVMError(callFrame, createRangeError(callFrame, "ArrayBuffer size is not a small enough positive integer.")); \
+    return JSValue::encode(JS##name##Array::create(structure, callFrame->lexicalGlobalObject(), buffer.release())); \
 }
 
 TYPED_ARRAY(Uint8, uint8_t);