Update String.prototype.repeat to throw non-fatal for length too big

Author: rhuanjl

lib/Runtime/Library/JavascriptString.cpp

@@ -2574,9 +2574,18 @@ namespace Js
 
         if (args.Info.Count > 1)
         {
-            if (!JavascriptOperators::IsUndefinedObject(args[1]))
+            if (TaggedInt::Is(args[1]))
             {
-                double countDbl = JavascriptConversion::ToInteger(args[1], scriptContext);
+                int32 signedCount = TaggedInt::ToInt32(args[1]);
+                if (signedCount < 0)
+                {
+                    JavascriptError::ThrowRangeError(scriptContext, JSERR_ArgumentOutOfRange, _u("String.prototype.repeat"));
+                }
+                count = (uint32) signedCount;
+            }
+            else if (!JavascriptOperators::IsUndefinedObject(args[1]))
+            {
+                double countDbl = JavascriptConversion::ToInteger_Full(args[1], scriptContext);
                 if (JavascriptNumber::IsPosInf(countDbl) || countDbl < 0.0)
                 {
                     JavascriptError::ThrowRangeError(scriptContext, JSERR_ArgumentOutOfRange, _u("String.prototype.repeat"));
@@ -2607,7 +2616,14 @@ namespace Js
         const char16* currentRawString = currentString->GetString();
         charcount_t currentLength = currentString->GetLength();
 
-        charcount_t finalBufferCount = UInt32Math::Add(UInt32Math::Mul(count, currentLength), 1);
+        charcount_t finalBufferCount = 0;
+        bool hasOverflow = UInt32Math::Mul(count, currentLength, &finalBufferCount);
+        if (hasOverflow || !IsValidCharCount(finalBufferCount))
+        {
+            JavascriptError::ThrowRangeError(scriptContext, JSERR_OutOfBoundString);
+        }
+        finalBufferCount = finalBufferCount + 1;
+
         char16* buffer = RecyclerNewArrayLeaf(scriptContext->GetRecycler(), char16, finalBufferCount);
 
         if (currentLength == 1)

test/es6/ES6StringAPIs.js

@@ -1,5 +1,6 @@
 //-------------------------------------------------------------------------------------------------------
 // Copyright (C) Microsoft. All rights reserved.
+// Copyright (c) 2021 ChakraCore Project Contributors. All rights reserved.
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------
 
@@ -271,6 +272,7 @@ var tests = [
             assert.throws(function () { s.repeat(-1); }, RangeError, "negative repeat counts are out of range", "String.prototype.repeat: argument out of range");
             assert.throws(function () { s.repeat(-Infinity); }, RangeError, "negative infinite repeat count is out of range", "String.prototype.repeat: argument out of range");
             assert.throws(function () { s.repeat(Infinity); }, RangeError, "infinite repeat count is out of range", "String.prototype.repeat: argument out of range");
+            assert.throws(function () { s.repeat(2 ** 30); }, RangeError, "lengths too large for a string throw");
 
             assert.areEqual("\0\0\0\0", "\0".repeat(4), "null character embedded in string is repeated");
             assert.areEqual("a\0ba\0ba\0b", "a\0b".repeat(3), "null character embedded in string mixed with normal characters is repeated");