AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[typedarray] Fix incorrect access to typed array byte offset.

Browse Source 
Byte offset can be outside of Smi range and must be loaded as a Number
rather than a Smi.

Bug: chromium:852258
Change-Id: Ida6e07ba68a050d4f5a9f28500986cc67c619b4c
Reviewed-on: https://chromium-review.googlesource.com/1100886
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53748}
This commit is contained in:
Peter Marshall 2018-06-14 15:40:16 +02:00 committed by Commit Bot
parent 5fdea8fd69
commit d69df91c27
2 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/builtins/builtins-typed-array-gen.cc
View File

@ -1365,15 +1365,24 @@ TF_BUILTIN(TypedArrayPrototypeSlice, TypedArrayBuiltinsAssembler) {
TNode<IntPtrT> count_bytes = IntPtrMul(SmiToIntPtr(count), source_el_size);
#ifdef DEBUG
TNode<IntPtrT> target_byte_length =
LoadAndUntagObjectField(result_array, JSTypedArray::kByteLengthOffset);
Label done(this), to_intptr_failed(this, Label::kDeferred);
TNode<IntPtrT> target_byte_length = TryToIntptr(
LoadObjectField<Number>(result_array, JSTypedArray::kByteLengthOffset),
&to_intptr_failed);
CSA_ASSERT(this, IntPtrLessThanOrEqual(count_bytes, target_byte_length));
TNode<IntPtrT> source_byte_length =
LoadAndUntagObjectField(source, JSTypedArray::kByteLengthOffset);
TNode<IntPtrT> source_byte_length = TryToIntptr(
LoadObjectField<Number>(source, JSTypedArray::kByteLengthOffset),
&to_intptr_failed);
TNode<IntPtrT> source_size_in_bytes =
IntPtrSub(source_byte_length, source_start_bytes);
CSA_ASSERT(this, IntPtrLessThanOrEqual(count_bytes, source_size_in_bytes));
Goto(&done);
BIND(&to_intptr_failed);
Unreachable();
BIND(&done);
#endif // DEBUG
CallCMemmove(target_data_ptr, source_start, count_bytes);

11
test/mjsunit/regress/regress-852258.js Normal file
View File

@ -0,0 +1,11 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
try {
let ta0 = new Int16Array(0x24924925);
let ta2 = ta0.slice(1);
let ta1 = ta0.slice(0x24924924);
} catch (e) {
// Allocation failed, that's fine.
}