From 0e3ee03e2baa2a48ef35e336ef22bd4c311f9940 Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Sun, 24 Jan 2021 16:43:50 +0100 Subject: [PATCH] LibJS: Throw exception on too large TypedArray construction request We will now throw a RangeError in these cases: * new TypedArray with >= INT32_MAX entries * new TypedArray whose ArrayBuffer allocation size computation would cause a 32-bit unsigned overflow. --- Userland/Libraries/LibJS/Runtime/TypedArray.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Userland/Libraries/LibJS/Runtime/TypedArray.cpp b/Userland/Libraries/LibJS/Runtime/TypedArray.cpp index d5bc286e41..1375dfc099 100644 --- a/Userland/Libraries/LibJS/Runtime/TypedArray.cpp +++ b/Userland/Libraries/LibJS/Runtime/TypedArray.cpp @@ -25,6 +25,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include #include #include #include @@ -151,6 +152,15 @@ void TypedArrayBase::visit_edges(Visitor& visitor) vm.throw_exception(global_object(), ErrorType::InvalidLength, "typed array"); \ return {}; \ } \ + if (array_length > NumericLimits::max()) { \ + vm.throw_exception(global_object(), ErrorType::InvalidLength, "typed array"); \ + return {}; \ + } \ + /* FIXME: What is the best/correct behavior here? */ \ + if (Checked::multiplication_would_overflow(array_length, sizeof(Type))) { \ + vm.throw_exception(global_object(), ErrorType::InvalidLength, "typed array"); \ + return {}; \ + } \ return ClassName::create(global_object(), array_length); \ }