archive-gh-me/jerryscript
1
0
Fork 0
mirror of https://github.com/jerryscript-project/jerryscript.git synced 2025-12-15 16:29:21 +00:00
Code Issues Projects Releases Wiki Activity

Fix byteLength validation in DataView constructor (#3074)

Browse Source 
This patch fixes #3072.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
This commit is contained in:
Robert Fancsik 2019-09-09 10:37:01 +02:00 committed by GitHub
parent c79659d3b2
commit e04bbdfff4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
jerry-core/ecma/operations/ecma-dataview-object.c
View File

@ -118,6 +118,11 @@ ecma_op_dataview_create (const ecma_value_t *arguments_list_p, /**< arguments li
}
else if (ecma_number_is_infinity (byte_length))
{
if (ecma_number_is_negative (byte_length))
{
return ecma_raise_range_error (ECMA_ERR_MSG ("Invalid DataView length"));
}
viewByteLength = UINT32_MAX;
}
else if (byte_length_int32 <= 0)

23
tests/jerry/es2015/regression-test-issue-3072.js Normal file
View File

@ -0,0 +1,23 @@
// Copyright JS Foundation and other contributors, http://js.foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
var arrb = new ArrayBuffer(13);
try {
var d = new DataView(arrb, 12, -Infinity);
d.setFloat32(1, 1);
assert (false);
} catch (e) {
assert (e instanceof RangeError);
}