1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-28 13:55:06 +00:00

LibJS: Check for add overflow in DataViewConstructor

Use the Checked type from AK to verify that offset + view_byte_length
is buffer_byte_length at most.
This commit is contained in:
Cyber Gsus 2022-06-26 23:33:22 +02:00 committed by Linus Groh
parent bbfafa19b4
commit f97e664d8f
2 changed files with 9 additions and 1 deletions

View file

@ -0,0 +1,6 @@
test("Issue #13451, integer overflow in offset + view_byte_length", () => {
const arrayBuffer = new ArrayBuffer(1);
expect(() => {
new DataView(arrayBuffer, 1, 1024 * 1024 * 1024 * 4 - 1);
}).toThrowWithMessage(RangeError, "Invalid DataView length");
});