From: Carlos Garcia Campos <carlosgc@webkit.org>
Date: Fri, 6 Mar 2015 07:33:11 +0000 (+0000)
Subject: Fix crash due to integer overflow
X-Git-Tag: archive/raspbian/2.14.3-1+rpi1~1^2^2^2~8
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=08d6d7cea2611b399427f72bf13efdc98c540d52;p=webkit2gtk.git

Fix crash due to integer overflow

===================================================================

Gbp-Pq: Name fix-integer-overflow.patch
---

diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index 8404993766..45d8bb802a 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -2023,7 +2023,7 @@ void ByteCodeParser::handleGetById(
 {
     NodeType getById = getByIdStatus.makesCalls() ? GetByIdFlush : GetById;
     
-    if (!getByIdStatus.isSimple() || !Options::enableAccessInlining()) {
+    if (!getByIdStatus.isSimple() || !getByIdStatus.numVariants() || !Options::enableAccessInlining()) {
         set(VirtualRegister(destinationOperand),
             addToGraph(getById, OpInfo(identifierNumber), OpInfo(prediction), base));
         return;
@@ -2138,7 +2138,7 @@ void ByteCodeParser::handlePutById(
     Node* base, unsigned identifierNumber, Node* value,
     const PutByIdStatus& putByIdStatus, bool isDirect)
 {
-    if (!putByIdStatus.isSimple() || !Options::enableAccessInlining()) {
+    if (!putByIdStatus.isSimple() || !putByIdStatus.numVariants() || !Options::enableAccessInlining()) {
         if (!putByIdStatus.isSet())
             addToGraph(ForceOSRExit);
         emitPutById(base, identifierNumber, value, putByIdStatus, isDirect);