Commit 38547ff9 authored by Marja Hölttä's avatar Marja Hölttä Committed by V8 LUCI CQ

[rab/gsab] Disallow too large length-tracking TAs

Bug: v8:11111,chromium:1326928
Change-Id: Ib3993df33b7ea8c5dbe721c16f6e7ac6d5a41a09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687693Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: 's avatarShu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81238}
parent 8487e66d
......@@ -70,7 +70,15 @@ Object ConstructBuffer(Isolate* isolate, Handle<JSFunction> target,
BackingStore::Allocate(isolate, byte_length, shared, initialized);
max_byte_length = byte_length;
} else {
if (!TryNumberToSize(*max_length, &max_byte_length)) {
// We need to check the max length against both
// JSArrayBuffer::kMaxByteLength and JSTypedArray::kMaxLength, since it's
// possible to create length-tracking TypedArrays and resize the underlying
// buffer. If the max byte length was larger than JSTypedArray::kMaxLength,
// that'd result in having a TypedArray with length larger than
// JSTypedArray::kMaxLength.
if (!TryNumberToSize(*max_length, &max_byte_length) ||
max_byte_length > JSArrayBuffer::kMaxByteLength ||
max_byte_length > JSTypedArray::kMaxLength) {
THROW_NEW_ERROR_RETURN_FAILURE(
isolate,
NewRangeError(MessageTemplate::kInvalidArrayBufferMaxLength));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment