From 33bafe0992b36c707f698dba203285caffa8ad3f Mon Sep 17 00:00:00 2001
From: Andreas Gal <gal@mozilla.com>
Date: Tue, 6 Oct 2009 15:24:12 -0700
Subject: [PATCH] Possible overflow in ResizeSlots on 64-bit systems (517644,
 r=jorendorff).

---
 js/src/jsarray.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
index e1e0e3b2611..cd4435e2438 100644
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -327,7 +327,7 @@ ResizeSlots(JSContext *cx, JSObject *obj, uint32 oldlen, uint32 newlen)
     }
 
     slots = obj->dslots ? obj->dslots - 1 : NULL;
-    newslots = (jsval *) cx->realloc(slots, (newlen + 1) * sizeof(jsval));
+    newslots = (jsval *) cx->realloc(slots, (size_t(newlen) + 1) * sizeof(jsval));
     if (!newslots)
         return JS_FALSE;