[INFER] Avoid INT_TO_JSID overflow when deleting element in array_shift, bug 642979.

2011-03-19 09:45:05 -07:00
parent 234b117618
commit d8201c90c9
1 changed files with 3 additions and 1 deletions
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -2307,9 +2307,11 @@ array_shift(JSContext *cx, uintN argc, Value *vp)
                obj->setDenseArrayInitializedLength(initlen - 1);
            } else {
                vp->setUndefined();
+                if (!cx->markTypeCallerUnexpected(TYPE_UNDEFINED))
+                    return JS_FALSE;
            }
            JS_ALWAYS_TRUE(obj->setArrayLength(cx, length));
-            if (!js_SuppressDeletedProperty(cx, obj, INT_TO_JSID(length)))
+            if (!js_SuppressDeletedIndexProperties(cx, obj, length, length + 1))
                return JS_FALSE;
            return JS_TRUE;
        }