mirrors/escargot
2
0
Fork 0
mirror of https://github.com/Samsung/escargot.git synced 2026-06-22 10:01:50 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix buffer access bug in builtinTypedArrayCopyWithin

Browse source 
Signed-off-by: Seonghyun Kim <sh8281.kim@samsung.com>
This commit is contained in:
Seonghyun Kim 2026-04-28 17:16:54 +09:00
commit f95e7fe59e
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/builtins/BuiltinTypedArray.cpp
View file

@ -485,7 +485,9 @@ static Value builtinTypedArrayCopyWithin(ExecutionState& state, Value thisValue,
// Set len to TypedArrayLength(taRecord).
len = O->arrayLength();
// Set count to min(count, len - startIndex, len - targetIndex).
count = std::min(std::min(count, len - startIndex), len - targetIndex);
// NOTE: After buffer resize during argument coercion, len - startIndex or len - targetIndex can be negative.
// We must clamp count to non-negative to prevent integer underflow when casting to size_t.
count = std::max(0.0, std::min(std::min(count, len - startIndex), len - targetIndex));
// Let typedArrayName be the String value of O.[[TypedArrayName]].
// Let elementSize be the Number value of the Element Size value specified in Table 59 for typedArrayName.
size_t elementSize = O->elementSize();