Attachment #8940347: Fix error handling in deserialization of invalid typed arrays for bug #1426783

View | Details | Raw Unified | Return to bug 1426783
Collapse All | Expand All

(-)a/js/src/tests/non262/extensions/clone-v1-typed-array-invalid.js (+23 lines)
Line     Link Here 
Line 0    Link Here 
1 
/*
2 
 * Any copyright is dedicated to the Public Domain.
3 
 * http://creativecommons.org/licenses/publicdomain/
4 
 */
5 





6

// bug 1426783





7

let data = new Uint8Array([





8

    ,,,,7,,255,255,34,,,128,5,1,255,255,





9

    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,





10

    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,





11

    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,





12

    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1





13

]);





14

let cloneBuffer = serialize(null);





15

cloneBuffer.clonebuffer = data.buffer;





16

let expected = "InternalError: bad serialized structured data (invalid typed array size)";





17

let actual = "deserialization did not throw";





18

try {





19

    deserialize(cloneBuffer);





20

} catch (exc) {





21

    actual = exc.toString();





22

}





23

reportCompare(expected, actual);




(-)a/js/src/vm/StructuredClone.cpp
(-2 / +11 lines)









Line 
  

Link Here 










 Lines 2078-2095
  JSStructuredCloneReader::readSharedWasmM

Link Here 






2078

 * endianness-conversion while reading.

2078

 * endianness-conversion while reading.





2079

 */

2079

 */





2080

bool

2080

bool





2081

JSStructuredCloneReader::readV1ArrayBuffer(uint32_t arrayType, uint32_t nelems,

2081

JSStructuredCloneReader::readV1ArrayBuffer(uint32_t arrayType, uint32_t nelems,





2082

                                           MutableHandleValue vp)

2082

                                           MutableHandleValue vp)





2083

{

2083

{





2084

    MOZ_ASSERT(arrayType <= Scalar::Uint8Clamped);

2084

    MOZ_ASSERT(arrayType <= Scalar::Uint8Clamped);





2085


2085






2086

    uint32_t nbytes = nelems << TypedArrayShift(static_cast<Scalar::Type>(arrayType));

2086

    mozilla::CheckedInt<size_t> nbytes =





2087

    JSObject* obj = ArrayBufferObject::create(context(), nbytes);

2087

        mozilla::CheckedInt<size_t>(nelems) *







2088

        TypedArrayElemSize(static_cast<Scalar::Type>(arrayType));





2089

    if (!nbytes.isValid() || nbytes.value() > UINT32_MAX) {





2090

        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr,





2091

                                  JSMSG_SC_BAD_SERIALIZED_DATA,





2092

                                  "invalid typed array size");





2093

        return false;





2094

    }





2095






2096

    JSObject* obj = ArrayBufferObject::create(context(), nbytes.value());





2088

    if (!obj)

2097

    if (!obj)





2089

        return false;

2098

        return false;





2090

    vp.setObject(*obj);

2099

    vp.setObject(*obj);





2091

    ArrayBufferObject& buffer = obj->as<ArrayBufferObject>();

2100

    ArrayBufferObject& buffer = obj->as<ArrayBufferObject>();





2092

    MOZ_ASSERT(buffer.byteLength() == nbytes);

2101

    MOZ_ASSERT(buffer.byteLength() == nbytes);





2093


2102






2094

    switch (arrayType) {

2103

    switch (arrayType) {





2095

      case Scalar::Int8:

2104

      case Scalar::Int8:







Return to bug 1426783