archive-gh-me/jerryscript
1
0
Fork 0
mirror of https://github.com/jerryscript-project/jerryscript.git synced 2025-12-15 16:29:21 +00:00
Code Issues Projects Releases Wiki Activity

Fix invalid typed array construction (#4757)

Browse Source 
JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
This commit is contained in:
Zoltan Herczeg 2021-09-02 12:13:00 +02:00 committed by GitHub
parent f94a3c80bd
commit e1ce7dd727
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 63 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
jerry-core/ecma/operations/ecma-typedarray-object.c
View File

@ -800,16 +800,26 @@ ecma_typedarray_create_object_with_length (uint32_t array_length, /**< length of
uint8_t element_size_shift, /**< the size shift of the element length */
ecma_typedarray_type_t typedarray_id) /**< id of the typedarray */
{
if (array_length > (UINT32_MAX >> element_size_shift))
{
return ecma_raise_range_error (ECMA_ERR_MSG ("Maximum TypedArray size is reached"));
}
uint32_t byte_length = UINT32_MAX;
uint32_t byte_length = array_length << element_size_shift;
if (array_length <= (UINT32_MAX >> element_size_shift))
{
byte_length = array_length << element_size_shift;
}
if (byte_length > UINT32_MAX - sizeof (ecma_extended_object_t) - JMEM_ALIGNMENT + 1)
{
return ecma_raise_range_error (ECMA_ERR_MSG ("Maximum TypedArray size is reached"));
#if JERRY_ERROR_MESSAGES
ecma_value_t array_length_value = ecma_make_number_value (array_length);
ecma_value_t result = ecma_raise_standard_error_with_format (JERRY_ERROR_RANGE,
"Invalid typed array length: %",
array_length_value);
ecma_free_value (array_length_value);
return result;
#else /* !JERRY_ERROR_MESSAGES */
return ecma_raise_range_error (NULL);
#endif /* JERRY_ERROR_MESSAGES */
}
ecma_object_t *new_arraybuffer_p = NULL;
@ -1616,19 +1626,26 @@ ecma_op_create_typedarray (const ecma_value_t *arguments_list_p, /**< the arg li
ecma_number_t num = 0;
if (!ecma_is_value_undefined (arguments_list_p[0])
&& ECMA_IS_VALUE_ERROR (ecma_op_to_number (arguments_list_p[0], &num)))
&& ECMA_IS_VALUE_ERROR (ecma_op_to_index (arguments_list_p[0], &num)))
{
return ECMA_VALUE_ERROR;
}
uint32_t length = ecma_number_to_uint32 (num);
if (ecma_number_is_infinity (num))
JERRY_ASSERT (num >= 0 && num <= ECMA_NUMBER_MAX_SAFE_INTEGER);
if (num > UINT32_MAX)
{
ret = ecma_raise_range_error (ECMA_ERR_MSG ("Invalid TypedArray length"));
#if JERRY_ERROR_MESSAGES
ret = ecma_raise_standard_error_with_format (JERRY_ERROR_RANGE,
"Invalid typed array length: %",
arguments_list_p[0]);
#else /* !JERRY_ERROR_MESSAGES */
ret = ecma_raise_range_error (NULL);
#endif /* JERRY_ERROR_MESSAGES */
}
else
{
ret = ecma_typedarray_create_object_with_length (length,
ret = ecma_typedarray_create_object_with_length ((uint32_t) num,
NULL,
proto_p,
element_size_shift,

35
tests/jerry/es.next/typedArray-constructor.js Normal file
View File

@ -0,0 +1,35 @@
/* Copyright JS Foundation and other contributors, http://js.foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
function check_range_error(code)
{
try {
eval(code);
assert(false);
} catch (e) {
assert(e instanceof RangeError);
}
}
// Invalid cases
check_range_error("new Uint8Array(1e15)");
check_range_error("new Uint8Array(4294967296)");
check_range_error("new Uint8Array(4294967296 - 1)");
check_range_error("new Uint8Array(-1)");
// Valid cases
assert((new Uint8Array(3.5)).length === 3)
assert((new Uint8Array(-0.5)).length === 0)