summaryrefslogtreecommitdiffstats
path: root/WebCore/bindings/js/JSWebGLArrayHelper.h
diff options
context:
space:
mode:
Diffstat (limited to 'WebCore/bindings/js/JSWebGLArrayHelper.h')
-rw-r--r--WebCore/bindings/js/JSWebGLArrayHelper.h10
1 files changed, 6 insertions, 4 deletions
diff --git a/WebCore/bindings/js/JSWebGLArrayHelper.h b/WebCore/bindings/js/JSWebGLArrayHelper.h
index 3326d76..481c68f 100644
--- a/WebCore/bindings/js/JSWebGLArrayHelper.h
+++ b/WebCore/bindings/js/JSWebGLArrayHelper.h
@@ -43,14 +43,16 @@ JSC::JSValue setWebGLArrayFromArray(JSC::ExecState* exec, T* webGLArray, JSC::Ar
if (args.at(0).isObject()) {
// void set(in sequence<long> array, [Optional] in unsigned long offset);
JSC::JSObject* array = JSC::asObject(args.at(0));
- unsigned offset = 0;
+ uint32_t offset = 0;
if (args.size() == 2)
offset = args.at(1).toInt32(exec);
- int length = array->get(exec, JSC::Identifier(exec, "length")).toInt32(exec);
- if (offset + length > webGLArray->length())
+ uint32_t length = array->get(exec, JSC::Identifier(exec, "length")).toInt32(exec);
+ if (offset > webGLArray->length() ||
+ offset + length > webGLArray->length() ||
+ offset + length < offset)
setDOMException(exec, INDEX_SIZE_ERR);
else {
- for (int i = 0; i < length; i++) {
+ for (uint32_t i = 0; i < length; i++) {
JSC::JSValue v = array->get(exec, i);
if (exec->hadException())
return JSC::jsUndefined();
generated by cgit v1.1 at 2025-08-18 01:10:49 +0000