From e5817045599790915e1ba08117d1e06d872a1da9 Mon Sep 17 00:00:00 2001
From: David Wendt <dcrkid@yahoo.com>
Date: Mon, 14 Sep 2020 19:21:14 -0400
Subject: [PATCH] avm2: `new Array()` should reject negative and `NaN` length
 arguments as errors.

---
 core/src/avm2/globals/array.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/src/avm2/globals/array.rs b/core/src/avm2/globals/array.rs
index dd16ccfa9..4012d6b9d 100644
--- a/core/src/avm2/globals/array.rs
+++ b/core/src/avm2/globals/array.rs
@@ -28,6 +28,10 @@ pub fn instance_init<'gc>(
                     .get(0)
                     .and_then(|v| v.as_number(activation.context.gc_context).ok())
                 {
+                    if expected_len < 0.0 || expected_len.is_nan() {
+                        return Err("Length must be a positive integer".into());
+                    }
+
                     array.set_length(expected_len as usize);
 
                     return Ok(Value::Undefined);