LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-15 07:09:43 +03:00
Code Issues Packages Projects Releases Wiki Activity

LibJS: Throw exception on too large TypedArray construction request

Browse Source 
We will now throw a RangeError in these cases:

* new TypedArray with >= INT32_MAX entries
* new TypedArray whose ArrayBuffer allocation size computation would
  cause a 32-bit unsigned overflow.
This commit is contained in:
Andreas Kling 2021-01-24 16:43:50 +01:00
parent ae0be7797f
commit 0e3ee03e2b
Notes: sideshowbarker 2024-07-18 22:54:15 +09:00 
Author: https://github.com/awesomekling
Commit: https://github.com/SerenityOS/serenity/commit/0e3ee03e2ba
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Userland/Libraries/LibJS/Runtime/TypedArray.cpp
View File

@ -25,6 +25,7 @@
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <AK/Checked.h>
#include <LibJS/Runtime/ArrayBuffer.h>
#include <LibJS/Runtime/GlobalObject.h>
#include <LibJS/Runtime/TypedArray.h>
@ -151,6 +152,15 @@ void TypedArrayBase::visit_edges(Visitor& visitor)
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
return {}; \
} \
if (array_length > NumericLimits<i32>::max()) { \
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
return {}; \
} \
/* FIXME: What is the best/correct behavior here? */ \
if (Checked<u32>::multiplication_would_overflow(array_length, sizeof(Type))) { \
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
return {}; \
} \
return ClassName::create(global_object(), array_length); \
}