mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 13:57:35 +00:00
LibJS: Enforce a 2GB "Excessive Length" limit for TypedArrays
This commit is contained in:
parent
56335dab6c
commit
086b6f11c4
1 changed files with 7 additions and 1 deletions
|
@ -143,6 +143,12 @@ static void initialize_typed_array_from_array_like(GlobalObject& global_object,
|
|||
if (vm.exception())
|
||||
return;
|
||||
|
||||
// Enforce 2GB "Excessive Length" limit
|
||||
if (length > NumericLimits<i32>::max() / sizeof(TypeError)) {
|
||||
vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array");
|
||||
return;
|
||||
}
|
||||
|
||||
auto element_size = typed_array.element_size();
|
||||
if (Checked<size_t>::multiplication_would_overflow(element_size, length)) {
|
||||
vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array");
|
||||
|
@ -312,7 +318,7 @@ void TypedArrayBase::visit_edges(Visitor& visitor)
|
|||
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
|
||||
return {}; \
|
||||
} \
|
||||
if (array_length > NumericLimits<i32>::max()) { \
|
||||
if (array_length > NumericLimits<i32>::max() / sizeof(Type)) { \
|
||||
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
|
||||
return {}; \
|
||||
} \
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue