From 5f79c9231af02dad7125b31af2772bc3f4aa9793 Mon Sep 17 00:00:00 2001 From: Peter Marshall Date: Fri, 3 Mar 2017 15:09:22 +0100 Subject: [PATCH] [builtins] Ensure length is within Smi range in TypedArray constructor. The callsite in ConstructByArrayBuffer could have a length that is above Smi range if the buffer had such a length. Check this before calling. Add a test too. BUG=v8:5977, chromium:698201 Change-Id: Ic22046a31607f1f85642c8caf7f5ed064edb3110 Reviewed-on: https://chromium-review.googlesource.com/449813 Commit-Queue: Peter Marshall Reviewed-by: Benedikt Meurer Cr-Commit-Position: refs/heads/master@{#43589} --- src/js/typedarray.js | 3 +++ test/mjsunit/es6/typedarray.js | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/src/js/typedarray.js b/src/js/typedarray.js index ef24b58405..70bc14a8b0 100644 --- a/src/js/typedarray.js +++ b/src/js/typedarray.js @@ -166,6 +166,9 @@ function NAMEConstructByArrayBuffer(obj, buffer, byteOffset, length) { } } var newLength = newByteLength / ELEMENT_SIZE; + if (newLength > %_MaxSmi()) { + throw %make_range_error(kInvalidTypedArrayLength); + } %typed_array_initialize(obj, newLength, buffer, offset, newByteLength, true); } diff --git a/test/mjsunit/es6/typedarray.js b/test/mjsunit/es6/typedarray.js index b6225a4024..e272afb770 100644 --- a/test/mjsunit/es6/typedarray.js +++ b/test/mjsunit/es6/typedarray.js @@ -831,3 +831,15 @@ for(i = 0; i < typedArrayConstructors.length; i++) { } } })(); + +(function TestBufferLengthTooLong() { + try { + var buf = new ArrayBuffer(2147483648); + assertThrows(function() { + new Int8Array(buf); + }, RangeError); + } catch (e) { + // The ArrayBuffer allocation fails on 32-bit archs, so no need to try to + // construct the typed array. + } +})();