Don't read past capacity in js_IsDensePrimitiveArray (582451, r=brendan).

2010-07-27 22:43:49 -07:00
parent e9175de575
commit c7c084593f
1 changed files with 2 additions and 2 deletions
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -3156,8 +3156,8 @@ js_IsDensePrimitiveArray(JSObject *obj)
    if (!obj || !obj->isDenseArray())
        return JS_FALSE;

-    jsuint length = obj->getArrayLength();
-    for (jsuint i = 0; i < length; i++) {
+    jsuint capacity = obj->getDenseArrayCapacity();
+    for (jsuint i = 0; i < capacity; i++) {
        if (obj->dslots[i].isObject())
            return JS_FALSE;
    }