mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-09-30 00:31:14 +00:00
parent
6fc0b2a43d
commit
84053816d5
Notes:
sideshowbarker
2024-07-18 07:06:29 +09:00
Author: https://github.com/linusg Commit: https://github.com/SerenityOS/serenity/commit/84053816d51 Pull-request: https://github.com/SerenityOS/serenity/pull/9348
|
@ -136,13 +136,19 @@ static Value set_view_value(GlobalObject& global_object, Value request_index, Va
|
|||
auto view_size = view->byte_length();
|
||||
|
||||
auto element_size = sizeof(T);
|
||||
if (get_index + element_size > view_size) {
|
||||
|
||||
Checked<size_t> buffer_index = get_index;
|
||||
buffer_index += view_offset;
|
||||
|
||||
Checked<size_t> end_index = get_index;
|
||||
end_index += element_size;
|
||||
|
||||
if (buffer_index.has_overflow() || end_index.has_overflow() || end_index.value() > view_size) {
|
||||
vm.throw_exception<RangeError>(global_object, ErrorType::DataViewOutOfRangeByteOffset, get_index, view_size);
|
||||
return {};
|
||||
}
|
||||
|
||||
auto buffer_index = get_index + view_offset;
|
||||
return buffer->set_value<T>(buffer_index, number_value, false, ArrayBuffer::Order::Unordered, little_endian);
|
||||
return buffer->set_value<T>(buffer_index.value(), number_value, false, ArrayBuffer::Order::Unordered, little_endian);
|
||||
}
|
||||
|
||||
// 25.3.4.5 DataView.prototype.getBigInt64 ( byteOffset [ , littleEndian ] ), https://tc39.es/ecma262/#sec-dataview.prototype.getbigint64
|
||||
|
|
|
@ -7,3 +7,23 @@ test("Issue #9336, integer overflow in get_view_value", () => {
|
|||
"Data view byte offset 4294967292 is out of range for buffer with length 16"
|
||||
);
|
||||
});
|
||||
|
||||
test("Issue #9338, integer overflow in set_view_value", () => {
|
||||
const dataView = new DataView(new ArrayBuffer(16));
|
||||
expect(() => {
|
||||
dataView.setUint32(0xfffffffc, 0);
|
||||
}).toThrowWithMessage(
|
||||
RangeError,
|
||||
"Data view byte offset 4294967292 is out of range for buffer with length 16"
|
||||
);
|
||||
});
|
||||
|
||||
test("Issue #9338, integer overflow in set_view_value - zero-length DataView", () => {
|
||||
const dataView = new DataView(new ArrayBuffer(4), 4);
|
||||
expect(() => {
|
||||
dataView.setUint32(0xfffffffc, 0);
|
||||
}).toThrowWithMessage(
|
||||
RangeError,
|
||||
"Data view byte offset 4294967292 is out of range for buffer with length 0"
|
||||
);
|
||||
});
|
||||
|
|
Loading…
Reference in a new issue