Commit 8d835e6d authored by Choongwoo Han's avatar Choongwoo Han Committed by Commit Bot

[test] Check a value type in a test function

Even though IsWasmCompileAllowed function in runtime/runtime-test.cc can
be invoked only when native calls are allowed, so this is not an
actual bug, fuzzing or random testing can call this function and make a
false positive. Thus, add a checking if the given argument is actually
an array buffer.

Bug: v8:5981
Change-Id: I3918c4d68b67a507c93865effa490d7259d63cb1
Reviewed-on: https://chromium-review.googlesource.com/732383Reviewed-by: 's avatarMircea Trofin <mtrofin@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50116}
parent 3ca11472
...@@ -43,8 +43,9 @@ bool IsWasmCompileAllowed(v8::Isolate* isolate, v8::Local<v8::Value> value, ...@@ -43,8 +43,9 @@ bool IsWasmCompileAllowed(v8::Isolate* isolate, v8::Local<v8::Value> value,
DCHECK_GT(g_PerIsolateWasmControls.Get().count(isolate), 0); DCHECK_GT(g_PerIsolateWasmControls.Get().count(isolate), 0);
const WasmCompileControls& ctrls = g_PerIsolateWasmControls.Get().at(isolate); const WasmCompileControls& ctrls = g_PerIsolateWasmControls.Get().at(isolate);
return (is_async && ctrls.AllowAnySizeForAsync) || return (is_async && ctrls.AllowAnySizeForAsync) ||
(v8::Local<v8::ArrayBuffer>::Cast(value)->ByteLength() <= (value->IsArrayBuffer() &&
ctrls.MaxWasmBufferSize); v8::Local<v8::ArrayBuffer>::Cast(value)->ByteLength() <=
ctrls.MaxWasmBufferSize);
} }
// Use the compile controls for instantiation, too // Use the compile controls for instantiation, too
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment