From 086b6f11c4cfe5a0a5741a80546c8c4f5074b87d Mon Sep 17 00:00:00 2001 From: Idan Horowitz Date: Mon, 5 Jul 2021 02:41:09 +0300 Subject: [PATCH] LibJS: Enforce a 2GB "Excessive Length" limit for TypedArrays --- Userland/Libraries/LibJS/Runtime/TypedArray.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibJS/Runtime/TypedArray.cpp b/Userland/Libraries/LibJS/Runtime/TypedArray.cpp index 5a2a836aee..e92bdef156 100644 --- a/Userland/Libraries/LibJS/Runtime/TypedArray.cpp +++ b/Userland/Libraries/LibJS/Runtime/TypedArray.cpp @@ -143,6 +143,12 @@ static void initialize_typed_array_from_array_like(GlobalObject& global_object, if (vm.exception()) return; + // Enforce 2GB "Excessive Length" limit + if (length > NumericLimits::max() / sizeof(TypeError)) { + vm.throw_exception(global_object, ErrorType::InvalidLength, "typed array"); + return; + } + auto element_size = typed_array.element_size(); if (Checked::multiplication_would_overflow(element_size, length)) { vm.throw_exception(global_object, ErrorType::InvalidLength, "typed array"); @@ -312,7 +318,7 @@ void TypedArrayBase::visit_edges(Visitor& visitor) vm.throw_exception(global_object(), ErrorType::InvalidLength, "typed array"); \ return {}; \ } \ - if (array_length > NumericLimits::max()) { \ + if (array_length > NumericLimits::max() / sizeof(Type)) { \ vm.throw_exception(global_object(), ErrorType::InvalidLength, "typed array"); \ return {}; \ } \