mirrors/escargot
2
0
Fork 0
mirror of https://github.com/Samsung/escargot.git synced 2026-06-22 10:01:50 +00:00
Code Issues Projects Releases Packages Wiki Activity

Check overflow when TypedArrayObject allocating for 32-bit systems

Browse source 
Signed-off-by: Seonghyun Kim <sh8281.kim@samsung.com>
This commit is contained in:
Seonghyun Kim 2026-05-26 21:01:16 +09:00 committed by MuHong Byun
commit d581b27af6
2 changed files with 11 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/runtime/TypedArrayObject.cpp
View file

@ -249,8 +249,16 @@ bool TypedArrayObject::integerIndexedElementSet(ExecutionState& state, double in
if (length == std::numeric_limits<size_t>::max()) { \
obj->setBuffer(nullptr, 0, 0, 0); \
} else { \
auto buffer = ArrayBufferObject::allocateArrayBuffer(state, state.context()->globalObject()->arrayBuffer(), length * siz); \
obj->setBuffer(buffer, 0, length * siz, length); \
/* Check for overflow: length * elementSize must not overflow size_t */ \
uint64_t byteLength64 = static_cast<uint64_t>(length) * siz; \
/* On 32-bit systems, byteLength64 can overflow size_t, leading to undersized backing store */ \
if (UNLIKELY(byteLength64 > std::numeric_limits<size_t>::max() || byteLength64 >= ArrayBuffer::maxArrayBufferSize)) { \
ErrorObject::throwBuiltinError(state, ErrorCode::RangeError, state.context()->staticStrings().TypedArray.string(), false, \
String::emptyString(), ErrorObject::Messages::GlobalObject_InvalidArrayBufferSize); \
} \
size_t byteLength = static_cast<size_t>(byteLength64); \
auto buffer = ArrayBufferObject::allocateArrayBuffer(state, state.context()->globalObject()->arrayBuffer(), byteLength); \
obj->setBuffer(buffer, 0, byteLength, length); \
} \
return obj; \
} \

2
test/vendortest

@ -1 +1 @@
Subproject commit ff0449a235a7a2a9f9019f5bea44cf5e3c80fc02
Subproject commit e978721a0ab7df89e06d2f335cc13e9c4468e4c6