From fdd98529d7f1afab5cbb1bc4b08c07fb2514309e Mon Sep 17 00:00:00 2001
From: Suwei Chen <suwc@microsoft.com>
Date: Mon, 27 Jun 2016 13:57:39 -0700
Subject: [PATCH] Address code review comments

---
 lib/Runtime/Language/InlineCache.h      |  6 +++---
 lib/Runtime/Library/JavascriptArray.cpp |  5 +++++
 lib/Runtime/Library/JavascriptArray.h   |  1 +
 test/es6/es6IsConcatSpreadable.js       | 23 +++++++++++++++++++++++
 4 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/lib/Runtime/Language/InlineCache.h b/lib/Runtime/Language/InlineCache.h
index 6cb52d3f747..bfbb8d96472 100644
--- a/lib/Runtime/Language/InlineCache.h
+++ b/lib/Runtime/Language/InlineCache.h
@@ -992,17 +992,17 @@ namespace Js
             {
                 *result = result0;
                 lastAccess = 0;
-                return TRUE;
+                return true;
             }
 
             if (type1 == type)
             {
                 *result = result1;
                 lastAccess = 1;
-                return TRUE;
+                return true;
             }
 
-            return FALSE;
+            return false;
         }
 
         void CacheIsConcatSpreadable(Type *type, BOOL result)
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
index f1050c0c925..f0f6fe08b15 100644
--- a/lib/Runtime/Library/JavascriptArray.cpp
+++ b/lib/Runtime/Library/JavascriptArray.cpp
@@ -2972,6 +2972,11 @@ namespace Js
                         return;
                     }
 
+                    if (length + idxDest > MaxSafeInteger)
+                    {
+                        JavascriptError::ThrowTypeError(scriptContext, JSERR_IllegalArraySizeAndLength);
+                    }
+
                     RecyclableObject* itemObject = RecyclableObject::FromVar(aItem);
                     Var subItem;
                     uint32 lengthToUin32Max = length.IsSmallIndex() ? length.GetSmallIndex() : MaxArrayLength;
diff --git a/lib/Runtime/Library/JavascriptArray.h b/lib/Runtime/Library/JavascriptArray.h
index d2f185b8b4f..95701c6d9b8 100644
--- a/lib/Runtime/Library/JavascriptArray.h
+++ b/lib/Runtime/Library/JavascriptArray.h
@@ -116,6 +116,7 @@ namespace Js
         static uint32 const MaxArrayLength = InvalidIndex;
         static uint32 const MaxInitialDenseLength=1<<18;
         static ushort const MergeSegmentsLengthHeuristics = 128; // If the length is less than MergeSegmentsLengthHeuristics then try to merge the segments
+        static uint64 const MaxSafeInteger = 0x1FFFFFFFFFFFFF;  // 2^53-1
 
         static const Var MissingItem;
         template<typename T> static T GetMissingItem();
diff --git a/test/es6/es6IsConcatSpreadable.js b/test/es6/es6IsConcatSpreadable.js
index 45a79d0275c..c55c61c274f 100644
--- a/test/es6/es6IsConcatSpreadable.js
+++ b/test/es6/es6IsConcatSpreadable.js
@@ -634,6 +634,29 @@ var tests = [
             test([1.1, 2.2, 3.3], 0, {});
         }
     },
+    {
+        name: "[@@isConcatSpreadable] getter setting illegal length property in object",
+        body: function ()
+        {
+            function test(a) {
+                var b = {"0":1, "1":2, "length": 2};
+                Object.defineProperty(b, Symbol.isConcatSpreadable, {
+                        get: function() {
+                            b.length = 9007199254740989;
+                            return true;
+                        }
+                    });
+                assert.throws(()=>a.concat(b), TypeError, a, "Illegal length and size specified for the array");
+            }
+
+            test([1, 2, 3]);
+            test([1.1, 2.2, 3.3]);
+            test(["a", "b", "c"]);
+            test([1.1, "b", 3]);
+            test([4, 5.5, "f"]);
+            test([undefined, NaN, function(){}]);
+        }
+    },
     ];
 
 testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });