Bug 704756: Don't trust function.length property!

Calling js_call with n < 0 led to us popping a negative number of items
from the stack, which could make us miss the stack size check.

Sanitize all uses of function.length in Function.prototype.apply and
Function.prototype.bind.

jsfunction.c

@@ -110,6 +110,8 @@ static void Fp_apply(js_State *J)
 		n = 0;
 	} else {
 		n = js_getlength(J, 2);
+		if (n < 0)
+			n = 0;
 		for (i = 0; i < n; ++i)
 			js_getindex(J, 2, i);
 	}
@@ -143,6 +145,8 @@ static void callbound(js_State *J)
 	args = js_gettop(J);
 	js_getproperty(J, fun, "__BoundArguments__");
 	n = js_getlength(J, args);
+	if (n < 0)
+		n = 0;
 	for (i = 0; i < n; ++i)
 		js_getindex(J, args, i);
 	js_remove(J, args);
@@ -165,6 +169,8 @@ static void constructbound(js_State *J)
 	args = js_gettop(J);
 	js_getproperty(J, fun, "__BoundArguments__");
 	n = js_getlength(J, args);
+	if (n < 0)
+		n = 0;
 	for (i = 0; i < n; ++i)
 		js_getindex(J, args, i);
 	js_remove(J, args);

jsrun.c

@@ -1126,6 +1126,9 @@ void js_call(js_State *J, int n)
 	js_Object *obj;
 	int savebot;
 
+	if (n < 0)
+		js_rangeerror(J, "number of arguments cannot be negative");
+
 	if (!js_iscallable(J, -n-2))
 		js_typeerror(J, "%s is not callable", js_typeof(J, -n-2));