RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 07:57:47 +00:00
Code Issues Activity Actions

LibJS: Enforce a 2GB "Excessive Length" limit for TypedArrays

Browse source
This commit is contained in:
Idan Horowitz 2021-07-05 02:41:09 +03:00 committed by Linus Groh
parent 56335dab6c
commit 086b6f11c4
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Userland/Libraries/LibJS/Runtime/TypedArray.cpp
View file

@ -143,6 +143,12 @@ static void initialize_typed_array_from_array_like(GlobalObject& global_object,
if (vm.exception()) if (vm.exception())
return; return;
// Enforce 2GB "Excessive Length" limit
if (length > NumericLimits<i32>::max() / sizeof(TypeError)) {
vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array");
return;
}
auto element_size = typed_array.element_size(); auto element_size = typed_array.element_size();
if (Checked<size_t>::multiplication_would_overflow(element_size, length)) { if (Checked<size_t>::multiplication_would_overflow(element_size, length)) {
vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array"); vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array");
@ -312,7 +318,7 @@ void TypedArrayBase::visit_edges(Visitor& visitor)
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \ vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
return {}; \ return {}; \
} \ } \
if (array_length > NumericLimits<i32>::max()) { \ if (array_length > NumericLimits<i32>::max() / sizeof(Type)) { \
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \ vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
return {}; \ return {}; \
} \ } \