RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 17:27:35 +00:00
Code Issues Activity Actions

LibWeb: Avoid overflow and OOB indexing in get_buffer_source_copy()

Browse source 
Previously, this would overflow when both length and offset were
zero, leading to an OOB index into es_array_buffer. This would lead to
a crash on a few MDN pages.
This commit is contained in:
MacDue 2022-09-24 12:37:20 +01:00 committed by Andreas Kling
parent ba065faa54
commit 4d7e4e5da8
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibWeb/Bindings/IDLAbstractOperations.cpp
View file

@ -72,7 +72,7 @@ ErrorOr<ByteBuffer> get_buffer_source_copy(JS::Object const& buffer_source)
auto bytes = TRY(ByteBuffer::create_zeroed(length));
// 9. For i in the range offset to offset + length 1, inclusive, set bytes[i offset] to ! GetValueFromBuffer(esArrayBuffer, i, Uint8, true, Unordered).
for (u64 i = offset; i <= offset + length - 1; ++i) {
for (u64 i = offset; i < offset + length; ++i) {
auto value = es_array_buffer->get_value<u8>(i, true, JS::ArrayBuffer::Unordered);
bytes[i - offset] = static_cast<u8>(value.as_double());
}