[backingstore] Check maximum size in API creation functions
With this CL we prevent embedders to allocate backing stores that are bigger than what can be handled by V8. R=ulan@chromium.org CC=jkummerow@chromium.org Bug: chromium:1008840 Change-Id: Ifff5e14c42fbdae187283540a54ffbfeda935574 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1900455 Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#64837}
This commit is contained in:
Andreas Haas
Commit Bot
parent
0dfd9ea512
commit
40c68c36dc
@ -7525,7 +7525,6 @@ Local<ArrayBuffer> v8::ArrayBuffer::New(
|
||||
Isolate* isolate, std::shared_ptr<BackingStore> backing_store) {
|
||||
CHECK_IMPLIES(backing_store->ByteLength() != 0,
|
||||
backing_store->Data() != nullptr);
|
||||
CHECK_LE(backing_store->ByteLength(), i::JSArrayBuffer::kMaxByteLength);
|
||||
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
|
||||
LOG_API(i_isolate, ArrayBuffer, New);
|
||||
ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
|
||||
@ -7543,6 +7542,7 @@ std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
|
||||
Isolate* isolate, size_t byte_length) {
|
||||
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
|
||||
LOG_API(i_isolate, ArrayBuffer, NewBackingStore);
|
||||
CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
|
||||
ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
|
||||
std::unique_ptr<i::BackingStoreBase> backing_store =
|
||||
i::BackingStore::Allocate(i_isolate, byte_length,
|
||||
@ -7558,6 +7558,7 @@ std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
|
||||
std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
|
||||
void* data, size_t byte_length, BackingStoreDeleterCallback deleter,
|
||||
void* deleter_data) {
|
||||
CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
|
||||
std::unique_ptr<i::BackingStoreBase> backing_store =
|
||||
i::BackingStore::WrapAllocation(data, byte_length, deleter, deleter_data,
|
||||
i::SharedFlag::kNotShared);
|
||||
@ -7845,7 +7846,6 @@ Local<SharedArrayBuffer> v8::SharedArrayBuffer::New(
|
||||
CHECK(i::FLAG_harmony_sharedarraybuffer);
|
||||
CHECK_IMPLIES(backing_store->ByteLength() != 0,
|
||||
backing_store->Data() != nullptr);
|
||||
CHECK_LE(backing_store->ByteLength(), i::JSArrayBuffer::kMaxByteLength);
|
||||
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
|
||||
LOG_API(i_isolate, SharedArrayBuffer, New);
|
||||
ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
|
||||
@ -7870,6 +7870,7 @@ std::unique_ptr<v8::BackingStore> v8::SharedArrayBuffer::NewBackingStore(
|
||||
Isolate* isolate, size_t byte_length) {
|
||||
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
|
||||
LOG_API(i_isolate, SharedArrayBuffer, NewBackingStore);
|
||||
CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
|
||||
ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
|
||||
std::unique_ptr<i::BackingStoreBase> backing_store =
|
||||
i::BackingStore::Allocate(i_isolate, byte_length, i::SharedFlag::kShared,
|
||||
@ -7885,6 +7886,7 @@ std::unique_ptr<v8::BackingStore> v8::SharedArrayBuffer::NewBackingStore(
|
||||
std::unique_ptr<v8::BackingStore> v8::SharedArrayBuffer::NewBackingStore(
|
||||
void* data, size_t byte_length, BackingStoreDeleterCallback deleter,
|
||||
void* deleter_data) {
|
||||
CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
|
||||
std::unique_ptr<i::BackingStoreBase> backing_store =
|
||||
i::BackingStore::WrapAllocation(data, byte_length, deleter, deleter_data,
|
||||
i::SharedFlag::kShared);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user