[rab/gsab] Disallow too large length-tracking TAs

Bug: v8:11111,chromium:1326928
Change-Id: Ib3993df33b7ea8c5dbe721c16f6e7ac6d5a41a09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687693Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81238}

src/builtins/builtins-arraybuffer.cc

@@ -70,7 +70,15 @@ Object ConstructBuffer(Isolate* isolate, Handle<JSFunction> target,
         BackingStore::Allocate(isolate, byte_length, shared, initialized);
     max_byte_length = byte_length;
   } else {
-    if (!TryNumberToSize(*max_length, &max_byte_length)) {
+    // We need to check the max length against both
+    // JSArrayBuffer::kMaxByteLength and JSTypedArray::kMaxLength, since it's
+    // possible to create length-tracking TypedArrays and resize the underlying
+    // buffer. If the max byte length was larger than JSTypedArray::kMaxLength,
+    // that'd result in having a TypedArray with length larger than
+    // JSTypedArray::kMaxLength.
+    if (!TryNumberToSize(*max_length, &max_byte_length) ||
+        max_byte_length > JSArrayBuffer::kMaxByteLength ||
+        max_byte_length > JSTypedArray::kMaxLength) {
       THROW_NEW_ERROR_RETURN_FAILURE(
           isolate,
           NewRangeError(MessageTemplate::kInvalidArrayBufferMaxLength));