Check array element length in ValueDeserializer

Bug: chromium:905940 Change-Id: I1d0cd85e7d8b32c08a6b680af5c2bde5adeb9259 Reviewed-on: https://chromium-review.googlesource.com/c/1339699Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#57566}

Check array element length in ValueDeserializer
Bug: chromium:905940 Change-Id: I1d0cd85e7d8b32c08a6b680af5c2bde5adeb9259 Reviewed-on: https://chromium-review.googlesource.com/c/1339699Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#57566}
206b8e08 · Yang Guo · Commit Bot · 7762b230 · 206b8e08
Commit 206b8e08 authored Nov 16, 2018 by Yang Guo Committed by Commit Bot Nov 16, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 4 deletions

value-serializer.cc src/value-serializer.cc +16 -4

No files found.
--- a/src/value-serializer.cc
+++ b/src/value-serializer.cc
@@ -1149,6 +1149,7 @@ void ValueDeserializer::TransferArrayBuffer(
 }

 MaybeHandle<Object> ValueDeserializer::ReadObject() {
+  DisallowJavascriptExecution no_js(isolate_);
  MaybeHandle<Object> result = ReadObjectInternal();

  // ArrayBufferView is special in that it consumes the value before it, even
@@ -1472,6 +1473,11 @@ MaybeHandle<JSArray> ValueDeserializer::ReadDenseJSArray() {
    // hole. Past version 11, undefined means undefined.
    if (version_ < 11 && element->IsUndefined(isolate_)) continue;

+    // Make sure elements is still large enough.
+    if (i >= static_cast<uint32_t>(elements->length())) {
+      return MaybeHandle<JSArray>();
+    }
+
    elements->set(i, *element);
  }

@@ -1593,8 +1599,12 @@ MaybeHandle<JSMap> ValueDeserializer::ReadJSMap() {
    }

    Handle<Object> argv[2];
-    if (!ReadObject().ToHandle(&argv[0]) || !ReadObject().ToHandle(&argv[1]) ||
-        Execution::Call(isolate_, map_set, map, arraysize(argv), argv)
+    if (!ReadObject().ToHandle(&argv[0]) || !ReadObject().ToHandle(&argv[1])) {
+      return MaybeHandle<JSMap>();
+    }
+
+    AllowJavascriptExecution allow_js(isolate_);
+    if (Execution::Call(isolate_, map_set, map, arraysize(argv), argv)
            .is_null()) {
      return MaybeHandle<JSMap>();
    }
@@ -1629,8 +1639,10 @@ MaybeHandle<JSSet> ValueDeserializer::ReadJSSet() {
    }

    Handle<Object> argv[1];
-    if (!ReadObject().ToHandle(&argv[0]) ||
-        Execution::Call(isolate_, set_add, set, arraysize(argv), argv)
+    if (!ReadObject().ToHandle(&argv[0])) return MaybeHandle<JSSet>();
+
+    AllowJavascriptExecution allow_js(isolate_);
+    if (Execution::Call(isolate_, set_add, set, arraysize(argv), argv)
            .is_null()) {
      return MaybeHandle<JSSet>();
    }