diff options
| author | Idan Horowitz <idan.horowitz@gmail.com> | 2021-07-08 17:48:42 +0300 |
|---|---|---|
| committer | Linus Groh <mail@linusgroh.de> | 2021-07-08 16:30:09 +0100 |
| commit | a9de3b1d8f1e36f5559aec8a3cea840898dafa7a (patch) | |
| tree | 9cfb2c7bb51fa160e0310bf9d86b4c1698f0caa4 | |
| parent | c7a839bb24f560e665e48974c313b6ff19ba1660 (diff) | |
| download | serenity-a9de3b1d8f1e36f5559aec8a3cea840898dafa7a.zip | |
LibJS: Add missing a TypedArray excessive length limit check
These checks already existed for the 3 other TypedArray construction
methods. (This commit also fixes an incorrect type in one of them)
| -rw-r--r-- | Userland/Libraries/LibJS/Runtime/TypedArray.cpp | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/Userland/Libraries/LibJS/Runtime/TypedArray.cpp b/Userland/Libraries/LibJS/Runtime/TypedArray.cpp index c46f3174bc..7248ac978c 100644 --- a/Userland/Libraries/LibJS/Runtime/TypedArray.cpp +++ b/Userland/Libraries/LibJS/Runtime/TypedArray.cpp @@ -144,7 +144,7 @@ static void initialize_typed_array_from_array_like(GlobalObject& global_object, return; // Enforce 2GB "Excessive Length" limit - if (length > NumericLimits<i32>::max() / sizeof(TypeError)) { + if (length > NumericLimits<i32>::max() / sizeof(T)) { vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array"); return; } @@ -175,9 +175,16 @@ static void initialize_typed_array_from_array_like(GlobalObject& global_object, template<typename T> static void initialize_typed_array_from_list(GlobalObject& global_object, TypedArray<T>& typed_array, const MarkedValueList& list) { + auto& vm = global_object.vm(); + // Enforce 2GB "Excessive Length" limit + if (list.size() > NumericLimits<i32>::max() / sizeof(T)) { + vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array"); + return; + } + auto element_size = typed_array.element_size(); if (Checked<size_t>::multiplication_would_overflow(element_size, list.size())) { - global_object.vm().throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array"); + vm.throw_exception<RangeError>(global_object, ErrorType::InvalidLength, "typed array"); return; } auto byte_length = element_size * list.size(); @@ -187,7 +194,6 @@ static void initialize_typed_array_from_list(GlobalObject& global_object, TypedA typed_array.set_byte_offset(0); typed_array.set_array_length(list.size()); - auto& vm = global_object.vm(); for (size_t k = 0; k < list.size(); k++) { auto value = list[k]; typed_array.set(k, value, true); |