Skip to content

V
V8
Commit 40c68c36 authored by Andreas Haas's avatar Andreas Haas Committed by Commit Bot
Browse files
Options

[backingstore] Check maximum size in API creation functions 

With this CL we prevent embedders to allocate backing stores that are
bigger than what can be handled by V8.

R=ulan@chromium.org
CC=jkummerow@chromium.org

Bug: chromium:1008840
Change-Id: Ifff5e14c42fbdae187283540a54ffbfeda935574
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1900455Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64837}
parent 0dfd9ea5
Show whitespace changes
Inline Side-by-side
Showing with 4 additions and 2 deletions
src/api/api.cc
View file @ 40c68c36
......@@ -7525,7 +7525,6 @@ Local<ArrayBuffer> v8::ArrayBuffer::New(
Isolate* isolate, std::shared_ptr<BackingStore> backing_store) {
CHECK_IMPLIES(backing_store->ByteLength() != 0,
backing_store->Data() != nullptr);
CHECK_LE(backing_store->ByteLength(), i::JSArrayBuffer::kMaxByteLength);
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
LOG_API(i_isolate, ArrayBuffer, New);
ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
......@@ -7543,6 +7542,7 @@ std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
Isolate* isolate, size_t byte_length) {
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
LOG_API(i_isolate, ArrayBuffer, NewBackingStore);
CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
std::unique_ptr<i::BackingStoreBase> backing_store =
i::BackingStore::Allocate(i_isolate, byte_length,
......@@ -7558,6 +7558,7 @@ std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
void* data, size_t byte_length, BackingStoreDeleterCallback deleter,
void* deleter_data) {
CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
std::unique_ptr<i::BackingStoreBase> backing_store =
i::BackingStore::WrapAllocation(data, byte_length, deleter, deleter_data,
i::SharedFlag::kNotShared);
......@@ -7845,7 +7846,6 @@ Local<SharedArrayBuffer> v8::SharedArrayBuffer::New(
CHECK(i::FLAG_harmony_sharedarraybuffer);
CHECK_IMPLIES(backing_store->ByteLength() != 0,
backing_store->Data() != nullptr);
CHECK_LE(backing_store->ByteLength(), i::JSArrayBuffer::kMaxByteLength);
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
LOG_API(i_isolate, SharedArrayBuffer, New);
ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
......@@ -7870,6 +7870,7 @@ std::unique_ptr<v8::BackingStore> v8::SharedArrayBuffer::NewBackingStore(
Isolate* isolate, size_t byte_length) {
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
LOG_API(i_isolate, SharedArrayBuffer, NewBackingStore);
CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
std::unique_ptr<i::BackingStoreBase> backing_store =
i::BackingStore::Allocate(i_isolate, byte_length, i::SharedFlag::kShared,
......@@ -7885,6 +7886,7 @@ std::unique_ptr<v8::BackingStore> v8::SharedArrayBuffer::NewBackingStore(
std::unique_ptr<v8::BackingStore> v8::SharedArrayBuffer::NewBackingStore(
void* data, size_t byte_length, BackingStoreDeleterCallback deleter,
void* deleter_data) {
CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
std::unique_ptr<i::BackingStoreBase> backing_store =
i::BackingStore::WrapAllocation(data, byte_length, deleter, deleter_data,
i::SharedFlag::kShared);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment