[runtime] Do not set zero-length source in TA.p.set

(source_length - 1) can be overflowed, and cause OOB access when source_length is zero. Thus, just do not operate setting if source_length is zero when starting TypedArraySetFromOverlapping. Bug: v8:6704 Change-Id: I5da60590c9a197eae96625a12720f6818b8c598a Reviewed-on: https://chromium-review.googlesource.com/620452 Commit-Queue: Franziska Hinkelmann <franzih@chromium.org> Reviewed-by: Franziska Hinkelmann <franzih@chromium.org> Cr-Commit-Position: refs/heads/master@{#47430}

[runtime] Do not set zero-length source in TA.p.set
(source_length - 1) can be overflowed, and cause OOB access when source_length is zero. Thus, just do not operate setting if source_length is zero when starting TypedArraySetFromOverlapping. Bug: v8:6704 Change-Id: I5da60590c9a197eae96625a12720f6818b8c598a Reviewed-on: https://chromium-review.googlesource.com/620452 Commit-Queue: Franziska Hinkelmann <franzih@chromium.org> Reviewed-by: Franziska Hinkelmann <franzih@chromium.org> Cr-Commit-Position: refs/heads/master@{#47430}
5e0db7df · Choongwoo Han · Commit Bot · 03285ec9 · 5e0db7df · 5e0db7df
Commit 5e0db7df authored Aug 18, 2017 by Choongwoo Han Committed by Commit Bot Aug 18, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

runtime-typedarray.cc src/runtime/runtime-typedarray.cc +2 -0

typedarray.js test/mjsunit/es6/typedarray.js +5 -0

No files found.
--- a/src/runtime/runtime-typedarray.cc
+++ b/src/runtime/runtime-typedarray.cc
@@ -152,6 +152,7 @@ RUNTIME_FUNCTION(Runtime_TypedArraySetFromOverlapping) {
  size_t targetElementSize = target->element_size();

  uint32_t source_length = source->length_value();
+  if (source_length == 0) return *target;

  // Copy left part.

@@ -191,6 +192,7 @@ RUNTIME_FUNCTION(Runtime_TypedArraySetFromOverlapping) {
  source_ptr += source_length * sourceElementSize;

  uint32_t right_index;
+  DCHECK_GE(source_length, 1);
  for (right_index = source_length - 1;
       right_index > left_index && target_ptr >= source_ptr; right_index--) {
    Handle<Object> value;

--- a/test/mjsunit/es6/typedarray.js
+++ b/test/mjsunit/es6/typedarray.js
@@ -534,6 +534,7 @@ function TestTypedArraySet() {
  var a51 = new Int8Array(b, 0, 2)
  var a52 = new Int8Array(b, 1, 2)
  var a53 = new Int8Array(b, 2, 2)
+  var a54 = new Int8Array(b, 0, 0)

  a5.set([0x5050, 0x0a0a])
  assertArrayPrefix([0x50, 0x50, 0x0a, 0x0a], a50)
@@ -565,6 +566,10 @@ function TestTypedArraySet() {
  a5.set(a53)
  assertArrayPrefix([0x000a, 0x000b], a5)

+  a50.set([0x50, 0x51, 0x0a, 0x0b])
+  a5.set(a54, 0)
+  assertArrayPrefix([0x50, 0x51, 0x0a, 0x0b], a50)
+
  // Mixed types of same size.
  var a61 = new Float32Array([1.2, 12.3])
  var a62 = new Int32Array(2)