• Samuel Groß's avatar
    Only set DataView data_pointer after validation in constructor · 1ad8bd0d
    Samuel Groß authored
    Currently, when the input ArrayBuffer is detached during DataView
    construction, the code will create an invalid DataView object whose
    length, offset, and data_pointer are all incorrect. While this is
    currently ok as the DataView is never exposed to JavaScript in that
    case, it does cause issues as setting the data_pointer to a value
    outside of the V8 sandbox leads to a CHECK failure. This CL now ensures
    that the constructed DataView is always in a sane state to fix this.
    
    Bug: chromium:1354429
    Change-Id: I04260a5cf5547a420956d7a75e77f41408aa4f78
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3841931Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
    Commit-Queue: Samuel Groß <saelo@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#82619}
    1ad8bd0d
builtins-dataview.cc 6.68 KB