Fix leak in Array.prototype.indexOf() when 'fromIndex' can't coerce to primitive value.

dbatyai · dbatyai · commit cc32d50c5f54 · 2015-07-21T10:16:24.000+02:00
JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai dbatyai.u-szeged@partner.samsung.com
diff --git a/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.cpp b/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.cpp
@@ -938,31 +938,28 @@ ecma_builtin_array_prototype_object_index_of (ecma_value_t this_arg, /**< this a
   /* 3. */
   uint32_t len = ecma_number_to_uint32 (len_number);
 
-  ecma_number_t* num_p = ecma_alloc_number ();
-  *num_p = ecma_int32_to_number (-1);
-
   /* 4. */
   if (len == 0)
   {
+    ecma_number_t *num_p = ecma_alloc_number ();
+    *num_p = ecma_int32_to_number (-1);
     ret_value = ecma_make_normal_completion_value (ecma_make_number_value (num_p));
   }
   else
   {
     /* 5. */
     ECMA_OP_TO_NUMBER_TRY_CATCH (arg_from_idx, arg2, ret_value);
 
+    ecma_number_t found_index = ecma_int32_to_number (-1);
+
     uint32_t from_idx = ecma_builtin_helper_array_index_normalize (arg_from_idx, len);
 
     /* 6. */
-    if (from_idx >= len)
-    {
-      ret_value = ecma_make_normal_completion_value (ecma_make_number_value (num_p));
-    }
-    else
+    if (from_idx < len)
     {
       JERRY_ASSERT (from_idx < len);
 
-      for (; from_idx < len && *num_p < 0 && ecma_is_completion_value_empty (ret_value); from_idx++)
+      for (; from_idx < len && found_index < 0 && ecma_is_completion_value_empty (ret_value); from_idx++)
       {
         ecma_string_t *idx_str_p = ecma_new_ecma_string_from_uint32 (from_idx);
 
@@ -975,23 +972,21 @@ ecma_builtin_array_prototype_object_index_of (ecma_value_t this_arg, /**< this a
           /* 9.b.ii */
           if (ecma_op_strict_equality_compare (arg1, get_value))
           {
-            *num_p = ecma_uint32_to_number (from_idx);
+            found_index = ecma_uint32_to_number (from_idx);
           }
 
           ECMA_FINALIZE (get_value);
         }
 
         ecma_deref_ecma_string (idx_str_p);
       }
+    }
 
-      if (ecma_is_completion_value_empty (ret_value))
-      {
-        ret_value = ecma_make_normal_completion_value (ecma_make_number_value (num_p));
-      }
-      else
-      {
-        ecma_dealloc_number (num_p);
-      }
+    if (ecma_is_completion_value_empty (ret_value))
+    {
+      ecma_number_t *num_p = ecma_alloc_number ();
+      *num_p = found_index;
+      ret_value = ecma_make_normal_completion_value (ecma_make_number_value (num_p));
     }
 
     ECMA_OP_TO_NUMBER_FINALIZE (arg_from_idx);
diff --git a/tests/jerry/array-prototype-indexof.js b/tests/jerry/array-prototype-indexof.js
@@ -45,6 +45,23 @@ assert(obj.indexOf("foo") === -1);
 var arr = [11, 22, 33, 44];
 assert(arr.indexOf(44, 4) === -1);
 
+var fromIndex = {
+	toString: function () {
+		return {};
+	},
+
+	valueOf: function () {
+		return {};
+	}
+};
+
+try {
+    [0, 1].indexOf(1, fromIndex);
+    assert(false);
+} catch (e) {
+    assert(e instanceof TypeError);
+}
+
 // Checking behavior when unable to get length
 var obj = { indexOf : Array.prototype.indexOf}
 Object.defineProperty(obj, 'length', { 'get' : function () { throw new ReferenceError ("foo"); } });
