JavaScriptCore-1218.35.tar.gz

[apple/javascriptcore.git] / dfg / DFGOperations.cpp

diff --git a/dfg/DFGOperations.cpp b/dfg/DFGOperations.cpp
index 860c486fd5bdfc473464602ff6cd30398812e072..af8212dd37ad039ea2b62821059c573ffa477546 100644 (file)
--- a/dfg/DFGOperations.cpp
+++ b/dfg/DFGOperations.cpp
@@ -1643,6 +1643,11 @@ JSCell* DFG_OPERATION operationMakeRope2(ExecState* exec, JSString* left, JSStri
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
 
+    if (sumOverflows<int32_t>(left->length(), right->length())) {
+        throwOutOfMemoryError(exec);
+        return nullptr;
+    }
+
     return JSRopeString::create(vm, left, right);
 }
 
@@ -1651,6 +1656,11 @@ JSCell* DFG_OPERATION operationMakeRope3(ExecState* exec, JSString* a, JSString*
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
 
+    if (sumOverflows<int32_t>(a->length(), b->length(), c->length())) {
+        throwOutOfMemoryError(exec);
+        return nullptr;
+    }
+
     return JSRopeString::create(vm, a, b, c);
 }