js_Array_dense_setelem can call arbitrary JS code (479487, r=jorendorff).

js/src/jsarray.cpp

@@ -828,21 +828,30 @@ js_Array_dense_setelem(JSContext* cx, JSObject* obj, jsint i, jsval v)
 {
     JS_ASSERT(OBJ_IS_DENSE_ARRAY(cx, obj));
 
-    do {
+    /*
-        jsuint capacity = js_DenseArrayCapacity(obj);
+     * Let the interpreter worry about negative array indexes.
-        if ((jsuint)i < capacity) {
+     */
-            if (obj->dslots[i] == JSVAL_HOLE) {
+    if (i < 0)
-                if (cx->runtime->anyArrayProtoHasElement)
+        return JS_FALSE;
-                    break;
+
-                if (i >= obj->fslots[JSSLOT_ARRAY_LENGTH])
+    /*
-                    obj->fslots[JSSLOT_ARRAY_LENGTH] = i + 1;
+     * If needed, grow the array as long it remains dense, otherwise fall off trace.
-                obj->fslots[JSSLOT_ARRAY_COUNT]++;
+     */
-            }
+    jsuint u = jsuint(i);
-            obj->dslots[i] = v;
+    jsuint capacity = js_DenseArrayCapacity(obj);
-            return JS_TRUE;
+    if ((u >= capacity) && (INDEX_TOO_SPARSE(obj, u) || !EnsureCapacity(cx, obj, u + 1)))
-        }
+        return JS_FALSE;
-    } while (0);
+
-    return OBJ_SET_PROPERTY(cx, obj, INT_TO_JSID(i), &v);
+    if (obj->dslots[u] == JSVAL_HOLE) {
+        if (cx->runtime->anyArrayProtoHasElement)
+            return JS_FALSE;
+        if (u >= jsuint(obj->fslots[JSSLOT_ARRAY_LENGTH]))
+            obj->fslots[JSSLOT_ARRAY_LENGTH] = u + 1;
+        ++obj->fslots[JSSLOT_ARRAY_COUNT];
+    }
+
+    obj->dslots[u] = v;
+    return JS_TRUE;
 }
 #endif