1 files changed, 5 insertions, 4 deletions

diff --git a/JavaScriptCore/runtime/JSArray.cpp b/JavaScriptCore/runtime/JSArray.cpp
index 9c3570b..55aa327 100644
--- a/JavaScriptCore/runtime/JSArray.cpp
+++ b/JavaScriptCore/runtime/JSArray.cpp
@@ -421,9 +421,10 @@ NEVER_INLINE void JSArray::putSlowCase(ExecState* exec, unsigned i, JSValue valu
     if (i >= MIN_SPARSE_ARRAY_INDEX)
         newNumValuesInVector -= map->contains(i);
     if (isDenseEnoughForVector(newVectorLength, newNumValuesInVector)) {
+        unsigned needLength = max(i + 1, storage->m_length);
         unsigned proposedNewNumValuesInVector = newNumValuesInVector;
         // If newVectorLength is already the maximum - MAX_STORAGE_VECTOR_LENGTH - then do not attempt to grow any further.
-        while (newVectorLength < MAX_STORAGE_VECTOR_LENGTH) {
+        while ((newVectorLength < needLength) && (newVectorLength < MAX_STORAGE_VECTOR_LENGTH)) {
             unsigned proposedNewVectorLength = getNewVectorLength(newVectorLength + 1);
             for (unsigned j = max(newVectorLength, MIN_SPARSE_ARRAY_INDEX); j < proposedNewVectorLength; ++j)
                 proposedNewNumValuesInVector += map->contains(j);
@@ -553,10 +554,10 @@ ALWAYS_INLINE unsigned JSArray::getNewVectorLength(unsigned desiredLength)
     ASSERT(desiredLength <= MAX_STORAGE_VECTOR_LENGTH);
 
     unsigned increasedLength;
-    unsigned length = m_storage->m_length;
+    unsigned maxInitLength = min(m_storage->m_length, 100000U);
 
-    if (desiredLength < length)
-        increasedLength = length;
+    if (desiredLength < maxInitLength)
+        increasedLength = maxInitLength;
     else if (!m_vectorLength)
         increasedLength = max(desiredLength, lastArraySize);
     else {