[d8] Fix potential overflow issue in ArrayBuffer allocator.

Bug: chromium:793196 Change-Id: I289653be3968b221bfe4c0f03e8430b2ca76c55c Reviewed-on: https://chromium-review.googlesource.com/827645Reviewed-by: Eric Holk <eholk@chromium.org> Commit-Queue: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#50135}

[d8] Fix potential overflow issue in ArrayBuffer allocator.
Bug: chromium:793196 Change-Id: I289653be3968b221bfe4c0f03e8430b2ca76c55c Reviewed-on: https://chromium-review.googlesource.com/827645Reviewed-by: Eric Holk <eholk@chromium.org> Commit-Queue: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#50135}
8b4966e9 · Bill Budge · Commit Bot · bcf11729 · 8b4966e9
Commit 8b4966e9 authored Dec 14, 2017 by Bill Budge Committed by Commit Bot Dec 15, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

d8.cc src/d8.cc +2 -1

No files found.
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -146,9 +146,10 @@ class ShellArrayBufferAllocator : public ArrayBufferAllocatorBase {
    // TODO(titzer): allocations should fail if >= 2gb because array buffers
    // store their lengths as a SMI internally.
    if (length >= kTwoGB) return nullptr;
-
    size_t page_size = base::OS::AllocatePageSize();
    size_t allocated = RoundUp(length, page_size);
+    // Rounding up could go over the limit.
+    if (allocated >= kTwoGB) return nullptr;
    void* address = base::OS::Allocate(nullptr, allocated, page_size,
                                       base::OS::MemoryPermission::kReadWrite);
 #if defined(LEAK_SANITIZER)