mirror of
https://github.com/RGBCube/serenity
synced 2025-07-24 14:07:43 +00:00
parent
b2a849935b
commit
6fc0b2a43d
2 changed files with 19 additions and 3 deletions
|
@ -4,6 +4,7 @@
|
||||||
* SPDX-License-Identifier: BSD-2-Clause
|
* SPDX-License-Identifier: BSD-2-Clause
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include <AK/Checked.h>
|
||||||
#include <AK/TypeCasts.h>
|
#include <AK/TypeCasts.h>
|
||||||
#include <LibJS/Runtime/DataViewPrototype.h>
|
#include <LibJS/Runtime/DataViewPrototype.h>
|
||||||
|
|
||||||
|
@ -87,13 +88,19 @@ static Value get_view_value(GlobalObject& global_object, Value request_index, Va
|
||||||
auto view_size = view->byte_length();
|
auto view_size = view->byte_length();
|
||||||
|
|
||||||
auto element_size = sizeof(T);
|
auto element_size = sizeof(T);
|
||||||
if (get_index + element_size > view_size) {
|
|
||||||
|
Checked<size_t> buffer_index = get_index;
|
||||||
|
buffer_index += view_offset;
|
||||||
|
|
||||||
|
Checked<size_t> end_index = get_index;
|
||||||
|
end_index += element_size;
|
||||||
|
|
||||||
|
if (buffer_index.has_overflow() || end_index.has_overflow() || end_index.value() > view_size) {
|
||||||
vm.throw_exception<RangeError>(global_object, ErrorType::DataViewOutOfRangeByteOffset, get_index, view_size);
|
vm.throw_exception<RangeError>(global_object, ErrorType::DataViewOutOfRangeByteOffset, get_index, view_size);
|
||||||
return {};
|
return {};
|
||||||
}
|
}
|
||||||
|
|
||||||
auto buffer_index = get_index + view_offset;
|
return buffer->get_value<T>(buffer_index.value(), false, ArrayBuffer::Order::Unordered, little_endian);
|
||||||
return buffer->get_value<T>(buffer_index, false, ArrayBuffer::Order::Unordered, little_endian);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// 25.3.1.2 SetViewValue ( view, requestIndex, isLittleEndian, type, value ), https://tc39.es/ecma262/#sec-setviewvalue
|
// 25.3.1.2 SetViewValue ( view, requestIndex, isLittleEndian, type, value ), https://tc39.es/ecma262/#sec-setviewvalue
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
test("Issue #9336, integer overflow in get_view_value", () => {
|
||||||
|
const dataView = new DataView(new ArrayBuffer(16));
|
||||||
|
expect(() => {
|
||||||
|
dataView.getUint32(0xfffffffc);
|
||||||
|
}).toThrowWithMessage(
|
||||||
|
RangeError,
|
||||||
|
"Data view byte offset 4294967292 is out of range for buffer with length 16"
|
||||||
|
);
|
||||||
|
});
|
Loading…
Add table
Add a link
Reference in a new issue