RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-30 15:18:11 +00:00
Code Issues Activity Actions

LibJS: Check for add overflow in DataViewConstructor

Browse source 
Use the Checked type from AK to verify that offset + view_byte_length
is buffer_byte_length at most.
This commit is contained in:
Cyber Gsus 2022-06-26 23:33:22 +02:00 committed by Linus Groh
parent bbfafa19b4
commit f97e664d8f
2 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Userland/Libraries/LibJS/Tests/builtins/DataView/DataView-invalid-length-overflow.js Normal file
View file

@ -0,0 +1,6 @@
test("Issue #13451, integer overflow in offset + view_byte_length", () => {
const arrayBuffer = new ArrayBuffer(1);
expect(() => {
new DataView(arrayBuffer, 1, 1024 * 1024 * 1024 * 4 - 1);
}).toThrowWithMessage(RangeError, "Invalid DataView length");
});