RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 01:47:34 +00:00
Code Issues Activity Actions

LibJS: Throw exception on too large TypedArray construction request

Browse source 
We will now throw a RangeError in these cases:

* new TypedArray with >= INT32_MAX entries
* new TypedArray whose ArrayBuffer allocation size computation would
  cause a 32-bit unsigned overflow.
This commit is contained in:
Andreas Kling 2021-01-24 16:43:50 +01:00
parent ae0be7797f
commit 0e3ee03e2b
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
Userland/Libraries/LibJS/Runtime/TypedArray.cpp
View file

@ -25,6 +25,7 @@
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <AK/Checked.h>
#include <LibJS/Runtime/ArrayBuffer.h>
#include <LibJS/Runtime/GlobalObject.h>
#include <LibJS/Runtime/TypedArray.h>
@ -151,6 +152,15 @@ void TypedArrayBase::visit_edges(Visitor& visitor)
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
return {}; \
} \
if (array_length > NumericLimits<i32>::max()) { \
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
return {}; \
} \
/* FIXME: What is the best/correct behavior here? */ \
if (Checked<u32>::multiplication_would_overflow(array_length, sizeof(Type))) { \
vm.throw_exception<RangeError>(global_object(), ErrorType::InvalidLength, "typed array"); \
return {}; \
} \
return ClassName::create(global_object(), array_length); \
}