Crash: Array with negative index (windows x64)

[X-C3LL]

Hi!

Playing with sciter I found a small bug. In tiscript the access to a negative index in an array is prevented:

var test01 = new Array();
test01[-1] = "A";

// Error: Index out of bounds - Integer(-1)
//  at undefined

And the use of big integers is prevented too:

test01[0x9999999999] = "A";
// Error: Index out of bounds - Integer(-1717986919)
//  at undefined

But if you try to use a big negative index the engine ends crashing (tested with sciter.exe):

<html>
<head>
<script type="text/tiscript">
    var test = new Array(-0x9999999999);
</script>
</head>
<body>
<h1>Test</h1>
</body>

Seeing it in a debugger looks like it tries to create a huge array and crash when it tries to write to a invalid memory location:

000007FEEA9C430 | 48 B8 02 00 00 00 00 00 | movabs rax,2000000000002                |
000007FEEA9C431 | F3 48 AB                | rep stosq qword ptr ds:[rdi],rax        |

In that rep stosq(..) RCX value is 000000005FFEAAB6 and RAX 0002000000000002, so I believe it copied to memory the value of RAX a gazillion of times until it reached a invalid memory address.

I tested it in x32 (windows) and sciter alerts you with a message of "not enough memory" instead of crashing.

I hope this information can be useful for you.

[c-smile]

Yeah, thanks.

These

var test = new Array(-1);
var test = new Array(-0x9999999999);

shall just throw "invalid value" error.

Fixing.