YourWishes/jerryscript
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix invalid typed array construction (#4757)

Browse Source 
JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
This commit is contained in:
Zoltan Herczeg
2021-09-02 12:13:00 +02:00
committed by GitHub
parent f94a3c80bd
commit e1ce7dd727
2 changed files with 63 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
jerry-core/ecma/operations/ecma-typedarray-object.c
+28 -11
View File
@@ -800,16 +800,26 @@ ecma_typedarray_create_object_with_length (uint32_t array_length, /**< length of
uint8_t element_size_shift, /**< the size shift of the element length */ uint8_t element_size_shift, /**< the size shift of the element length */
ecma_typedarray_type_t typedarray_id) /**< id of the typedarray */ ecma_typedarray_type_t typedarray_id) /**< id of the typedarray */
{ {
if (array_length > (UINT32_MAX >> element_size_shift)) uint32_t byte_length = UINT32_MAX;
{
return ecma_raise_range_error (ECMA_ERR_MSG ("Maximum TypedArray size is reached"));
}
uint32_t byte_length = array_length << element_size_shift; if (array_length <= (UINT32_MAX >> element_size_shift))
{
byte_length = array_length << element_size_shift;
}
if (byte_length > UINT32_MAX - sizeof (ecma_extended_object_t) - JMEM_ALIGNMENT + 1) if (byte_length > UINT32_MAX - sizeof (ecma_extended_object_t) - JMEM_ALIGNMENT + 1)
{ {
return ecma_raise_range_error (ECMA_ERR_MSG ("Maximum TypedArray size is reached")); #if JERRY_ERROR_MESSAGES
ecma_value_t array_length_value = ecma_make_number_value (array_length);
ecma_value_t result = ecma_raise_standard_error_with_format (JERRY_ERROR_RANGE,
"Invalid typed array length: %",
array_length_value);
ecma_free_value (array_length_value);
return result;
#else /* !JERRY_ERROR_MESSAGES */
return ecma_raise_range_error (NULL);
#endif /* JERRY_ERROR_MESSAGES */
} }
ecma_object_t *new_arraybuffer_p = NULL; ecma_object_t *new_arraybuffer_p = NULL;
@@ -1616,19 +1626,26 @@ ecma_op_create_typedarray (const ecma_value_t *arguments_list_p, /**< the arg li
ecma_number_t num = 0; ecma_number_t num = 0;
if (!ecma_is_value_undefined (arguments_list_p[0]) if (!ecma_is_value_undefined (arguments_list_p[0])
&& ECMA_IS_VALUE_ERROR (ecma_op_to_number (arguments_list_p[0], &num))) && ECMA_IS_VALUE_ERROR (ecma_op_to_index (arguments_list_p[0], &num)))
{ {
return ECMA_VALUE_ERROR; return ECMA_VALUE_ERROR;
} }
uint32_t length = ecma_number_to_uint32 (num);
if (ecma_number_is_infinity (num)) JERRY_ASSERT (num >= 0 && num <= ECMA_NUMBER_MAX_SAFE_INTEGER);
if (num > UINT32_MAX)
{ {
ret = ecma_raise_range_error (ECMA_ERR_MSG ("Invalid TypedArray length")); #if JERRY_ERROR_MESSAGES
ret = ecma_raise_standard_error_with_format (JERRY_ERROR_RANGE,
"Invalid typed array length: %",
arguments_list_p[0]);
#else /* !JERRY_ERROR_MESSAGES */
ret = ecma_raise_range_error (NULL);
#endif /* JERRY_ERROR_MESSAGES */
} }
else else
{ {
ret = ecma_typedarray_create_object_with_length (length, ret = ecma_typedarray_create_object_with_length ((uint32_t) num,
NULL, NULL,
proto_p, proto_p,
element_size_shift, element_size_shift,
tests/jerry/es.next/typedArray-constructor.js
+35
View File
@@ -0,0 +1,35 @@
/* Copyright JS Foundation and other contributors, http://js.foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
function check_range_error(code)
{
try {
eval(code);
assert(false);
} catch (e) {
assert(e instanceof RangeError);
}
}
// Invalid cases
check_range_error("new Uint8Array(1e15)");
check_range_error("new Uint8Array(4294967296)");
check_range_error("new Uint8Array(4294967296 - 1)");
check_range_error("new Uint8Array(-1)");
// Valid cases
assert((new Uint8Array(3.5)).length === 3)
assert((new Uint8Array(-0.5)).length === 0)