Fixed overflow in Array.prototype.concat().

This closes #131 issue on GitHub.

diff --git a/njs/njs_array.c b/njs/njs_array.c
index 75b2edb363a6e3452d9949fed06d3129fd7a0473..f421f6e13721d08ad1cdf96d13adb20d69bcf728 100644 (file)
--- a/njs/njs_array.c
+++ b/njs/njs_array.c
@@ -1125,7 +1125,7 @@ static njs_ret_t
 njs_array_prototype_concat(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs,
     njs_index_t unused)
 {
-    size_t       length;
+    uint64_t     length;
     nxt_uint_t   i;
     njs_value_t  *value;
     njs_array_t  *array;

diff --git a/njs/test/njs_unit_test.c b/njs/test/njs_unit_test.c
index 7f578507be27532b80746838bfc5b19154ee5a5f..7b766fe9c397fd1ca36b99cf1c30d0985b2a2bce 100644 (file)
--- a/njs/test/njs_unit_test.c
+++ b/njs/test/njs_unit_test.c
@@ -7956,6 +7956,14 @@ static njs_unit_test_t  njs_test[] =
     { nxt_string("var x = Array(2**28)"),
       nxt_string("MemoryError") },
 
+    { nxt_string("var r; try {"
+                 "    var x = Array(2**27), y = Array(2**5).fill(x);"
+                 "    Array.prototype.concat.apply(y[0], y.slice(1));"
+                 "} catch (e) {"
+                 "    r = e.name == 'InternalError' || e.name == 'RangeError'"
+                 "} r"),
+      nxt_string("true") },
+
     { nxt_string("var a = new Array(3); a"),
       nxt_string(",,") },