LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-11 01:06:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

LibJS: Add missing a TypedArray excessive length limit check

Browse Source 
These checks already existed for the 3 other TypedArray construction
methods. (This commit also fixes an incorrect type in one of them)
This commit is contained in:
Idan Horowitz 2021-07-08 17:48:42 +03:00 committed by Linus Groh
parent c7a839bb24
commit a9de3b1d8f
Notes: sideshowbarker 2024-07-18 10:04:03 +09:00 
Author: https://github.com/IdanHo
Commit: https://github.com/SerenityOS/serenity/commit/a9de3b1d8f1
Pull-request: https://github.com/SerenityOS/serenity/pull/8551
Reviewed-by: https://github.com/linusg
Reviewed-by: https://github.com/trflynn89
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Userland/Libraries/LibJS/Runtime/TypedArray.cpp
View File

@ -144,7 +144,7 @@ static void initialize_typed_array_from_array_like(GlobalObject& global_object,
return;
// Enforce 2GB "Excessive Length" limit
if (length > NumericLimits<i32>::max() / sizeof(TypeError)) {
if (length > NumericLimits<i32>::max() / sizeof(T)) {
vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array");
return;
}
@ -175,9 +175,16 @@ static void initialize_typed_array_from_array_like(GlobalObject& global_object,
template<typename T>
static void initialize_typed_array_from_list(GlobalObject& global_object, TypedArray<T>& typed_array, const MarkedValueList& list)
{
auto& vm = global_object.vm();
// Enforce 2GB "Excessive Length" limit
if (list.size() > NumericLimits<i32>::max() / sizeof(T)) {
vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array");
return;
}
auto element_size = typed_array.element_size();
if (Checked<size_t>::multiplication_would_overflow(element_size, list.size())) {
global_object.vm().throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array");
vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array");
return;
}
auto byte_length = element_size * list.size();
@ -187,7 +194,6 @@ static void initialize_typed_array_from_list(GlobalObject& global_object, TypedA
typed_array.set_byte_offset(0);
typed_array.set_array_length(list.size());
auto& vm = global_object.vm();
for (size_t k = 0; k < list.size(); k++) {
auto value = list[k];
typed_array.set(k, value, true);