Fix leak in Array.prototype.indexOf() when 'fromIndex' can't coerce to primitive value.

JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai dbatyai.u-szeged@partner.samsung.com

Author: dbatyai

jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.cpp

@@ -938,19 +938,21 @@ ecma_builtin_array_prototype_object_index_of (ecma_value_t this_arg, /**< this a
   /* 3. */
   uint32_t len = ecma_number_to_uint32 (len_number);
 
-  ecma_number_t* num_p = ecma_alloc_number ();
-  *num_p = ecma_int32_to_number (-1);
-
   /* 4. */
   if (len == 0)
   {
+    ecma_number_t *num_p = ecma_alloc_number ();
+    *num_p = ecma_int32_to_number (-1);
     ret_value = ecma_make_normal_completion_value (ecma_make_number_value (num_p));
   }
   else
   {
     /* 5. */
     ECMA_OP_TO_NUMBER_TRY_CATCH (arg_from_idx, arg2, ret_value);
 
+    ecma_number_t *num_p = ecma_alloc_number ();
+    *num_p = ecma_int32_to_number (-1);
+
     uint32_t from_idx = ecma_builtin_helper_array_index_normalize (arg_from_idx, len);
 
     /* 6. */

tests/jerry/array-prototype-indexof.js

@@ -45,6 +45,23 @@ assert(obj.indexOf("foo") === -1);
 var arr = [11, 22, 33, 44];
 assert(arr.indexOf(44, 4) === -1);
 
+var fromIndex = {
+	toString: function () {
+		return {};
+	},
+
+	valueOf: function () {
+		return {};
+	}
+};
+
+try {
+    [0, 1].indexOf(1, fromIndex);
+    assert(false);
+} catch (e) {
+    assert(e instanceof TypeError);
+}
+
 // Checking behavior when unable to get length
 var obj = { indexOf : Array.prototype.indexOf}
 Object.defineProperty(obj, 'length', { 'get' : function () { throw new ReferenceError ("foo"); } });