[1.4>master] [MERGE #2350 @atulkatti] Revert the earlier TypedArray change as it may lead to integer overflow.

Atul Katti · Atul Katti · commit b76ba0f26386 · 2017-01-11T13:34:50.000-08:00
Merge pull request #2350 from atulkatti:TypedArray.Bug10450472
diff --git a/lib/Runtime/Library/TypedArray.cpp b/lib/Runtime/Library/TypedArray.cpp
@@ -388,7 +388,6 @@ namespace Js
     Var TypedArrayBase::CreateNewInstance(Arguments& args, ScriptContext* scriptContext, uint32 elementSize, PFNCreateTypedArray pfnCreateTypedArray)
     {
         uint32 byteLength = 0;
-        uint32 newByteLength = 0;
         int32 offset = 0;
         int32 mappedLength = -1;
         uint32 elementCount = 0;
@@ -509,16 +508,7 @@ namespace Js
 
             if (args.Info.Count > 3 && !JavascriptOperators::IsUndefinedObject(args[3]))
             {
-                mappedLength = ArrayBuffer::ToIndex(args[3], JSERR_InvalidTypedArrayLength, scriptContext, ArrayBuffer::MaxArrayBufferLength / elementSize, false);
-                newByteLength = mappedLength * elementSize;
-
-                if (offset + newByteLength > byteLength)
-                {
-                    JavascriptError::ThrowRangeError(
-                        scriptContext, JSERR_InvalidTypedArrayLength);
-                }
-
-                byteLength = newByteLength;
+                mappedLength = ArrayBuffer::ToIndex(args[3], JSERR_InvalidTypedArrayLength, scriptContext, (byteLength - offset) / elementSize, false);
             }
             else
             {

Original file line number	Diff line number	Diff line change
`@@ -388,7 +388,6 @@ namespace Js`
`388`	`388`	`Var TypedArrayBase::CreateNewInstance(Arguments& args, ScriptContext* scriptContext, uint32 elementSize, PFNCreateTypedArray pfnCreateTypedArray)`
`389`	`389`	`{`
`390`	`390`	`uint32 byteLength = 0;`
`391`		`- uint32 newByteLength = 0;`
`392`	`391`	`int32 offset = 0;`
`393`	`392`	`int32 mappedLength = -1;`
`394`	`393`	`uint32 elementCount = 0;`
`@@ -509,16 +508,7 @@ namespace Js`
`509`	`508`
`510`	`509`	`if (args.Info.Count > 3 && !JavascriptOperators::IsUndefinedObject(args[3]))`
`511`	`510`	`{`
`512`		`- mappedLength = ArrayBuffer::ToIndex(args[3], JSERR_InvalidTypedArrayLength, scriptContext, ArrayBuffer::MaxArrayBufferLength / elementSize, false);`
`513`		`- newByteLength = mappedLength * elementSize;`
`514`		`-`
`515`		`- if (offset + newByteLength > byteLength)`
`516`		`- {`
`517`		`- JavascriptError::ThrowRangeError(`
`518`		`- scriptContext, JSERR_InvalidTypedArrayLength);`
`519`		`- }`
`520`		`-`
`521`		`- byteLength = newByteLength;`
	`511`	`+ mappedLength = ArrayBuffer::ToIndex(args[3], JSERR_InvalidTypedArrayLength, scriptContext, (byteLength - offset) / elementSize, false);`
`522`	`512`	`}`
`523`	`513`	`else`
`524`	`514`	`{`