[builtins] Ensure length is within Smi range in TypedArray constructor.

The callsite in ConstructByArrayBuffer could have a length that is above Smi range if the buffer had such a length. Check this before calling. Add a test too. BUG=v8:5977, chromium:698201 Change-Id: Ic22046a31607f1f85642c8caf7f5ed064edb3110 Reviewed-on: https://chromium-review.googlesource.com/449813 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#43589}
2017-03-03 15:09:22 +01:00 · 2017-03-03 15:09:22 +01:00 · 5f79c9231a
commit 5f79c9231a
parent ccfe50b95a
2 changed files with 15 additions and 0 deletions
--- a/src/js/typedarray.js
+++ b/src/js/typedarray.js
@ -166,6 +166,9 @@ function NAMEConstructByArrayBuffer(obj, buffer, byteOffset, length) {
    }
  }
  var newLength = newByteLength / ELEMENT_SIZE;
+  if (newLength > %_MaxSmi()) {
+    throw %make_range_error(kInvalidTypedArrayLength);
+  }
  %typed_array_initialize(obj, newLength, buffer, offset, newByteLength, true);
 }

--- a/test/mjsunit/es6/typedarray.js
+++ b/test/mjsunit/es6/typedarray.js
@ -831,3 +831,15 @@ for(i = 0; i < typedArrayConstructors.length; i++) {
    }
  }
 })();
+
+(function TestBufferLengthTooLong() {
+  try {
+    var buf = new ArrayBuffer(2147483648);
+    assertThrows(function() {
+      new Int8Array(buf);
+    }, RangeError);
+  } catch (e) {
+    // The ArrayBuffer allocation fails on 32-bit archs, so no need to try to
+    // construct the typed array.
+  }
+})();