Fix overflow in ecma_op_dataview_create (#3111)

Fixes #3109 JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu
2025-12-15 16:29:21 +00:00 · 2019-09-13 17:19:49 +03:00 · 2019-09-13 17:19:49 +03:00 · 17e63e892a
commit 17e63e892a
parent 9f85d21578
2 changed files with 24 additions and 1 deletions
--- a/jerry-core/ecma/operations/ecma-dataview-object.c
+++ b/jerry-core/ecma/operations/ecma-dataview-object.c
@ -135,7 +135,7 @@ ecma_op_dataview_create (const ecma_value_t *arguments_list_p, /**< arguments li
    }

    /* 12.c */
-    if ((ecma_length_t) offset + viewByteLength > buffer_byte_length)
+    if ((ecma_number_t) offset + viewByteLength > buffer_byte_length)
    {
      return ecma_raise_range_error (ECMA_ERR_MSG ("Start offset is outside the bounds of the buffer."));
    }
--- a/tests/jerry/es2015/regression-test-issue-3109.js
+++ b/tests/jerry/es2015/regression-test-issue-3109.js
@ -0,0 +1,23 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+var arrb = new ArrayBuffer(14);
+
+try {
+  var arr = new DataView(arrb, 13, Infinity);
+  assert(false);
+  arr.setUint32(9, -65536);
+} catch (e) {
+  assert(e instanceof RangeError);
+}