RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 17:37:37 +00:00
Code Issues Activity Actions

LibJS: Use Checked<T> for offsets in the SetViewValue AO

Browse source 
Fixes #9338.
This commit is contained in:
Linus Groh 2021-08-11 22:16:25 +01:00
parent 6fc0b2a43d
commit 84053816d5
2 changed files with 29 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
Userland/Libraries/LibJS/Runtime/DataViewPrototype.cpp
View file

@ -136,13 +136,19 @@ static Value set_view_value(GlobalObject& global_object, Value request_index, Va
auto view_size = view->byte_length(); auto view_size = view->byte_length();
auto element_size = sizeof(T); auto element_size = sizeof(T);
if (get_index + element_size > view_size) {
Checked<size_t> buffer_index = get_index;
buffer_index += view_offset;
Checked<size_t> end_index = get_index;
end_index += element_size;
if (buffer_index.has_overflow() || end_index.has_overflow() || end_index.value() > view_size) {
vm.throw_exception<RangeError>(global_object, ErrorType::DataViewOutOfRangeByteOffset, get_index, view_size); vm.throw_exception<RangeError>(global_object, ErrorType::DataViewOutOfRangeByteOffset, get_index, view_size);
return {}; return {};
} }
auto buffer_index = get_index + view_offset; return buffer->set_value<T>(buffer_index.value(), number_value, false, ArrayBuffer::Order::Unordered, little_endian);
return buffer->set_value<T>(buffer_index, number_value, false, ArrayBuffer::Order::Unordered, little_endian);
} }
// 25.3.4.5 DataView.prototype.getBigInt64 ( byteOffset [ , littleEndian ] ), https://tc39.es/ecma262/#sec-dataview.prototype.getbigint64 // 25.3.4.5 DataView.prototype.getBigInt64 ( byteOffset [ , littleEndian ] ), https://tc39.es/ecma262/#sec-dataview.prototype.getbigint64

20
Userland/Libraries/LibJS/Tests/builtins/DataView/DataView-invalid-read-and-write.js
View file

@ -7,3 +7,23 @@ test("Issue #9336, integer overflow in get_view_value", () => {
"Data view byte offset 4294967292 is out of range for buffer with length 16" "Data view byte offset 4294967292 is out of range for buffer with length 16"
); );
}); });
test("Issue #9338, integer overflow in set_view_value", () => {
const dataView = new DataView(new ArrayBuffer(16));
expect(() => {
dataView.setUint32(0xfffffffc, 0);
}).toThrowWithMessage(
RangeError,
"Data view byte offset 4294967292 is out of range for buffer with length 16"
);
});
test("Issue #9338, integer overflow in set_view_value - zero-length DataView", () => {
const dataView = new DataView(new ArrayBuffer(4), 4);
expect(() => {
dataView.setUint32(0xfffffffc, 0);
}).toThrowWithMessage(
RangeError,
"Data view byte offset 4294967292 is out of range for buffer with length 0"
);
});