test · 0004733c0814a5f8c5cf519a062e525dec591224 · Linshizhi / V8

ValueSerializer: Add more checks before trying to allocate memory for a dense array. · 0004733c

jbroman authored Oct 07, 2016

Found with libfuzzer. The length is automatically converted to int (thus
large sizes could become negative, even though they are legal "array sizes").
Besides that, the length is coerced to a SMI (which is an even tighter
constraint on 32-bit systems, where it limits the legal sizes to 2^30 - 1).

Add checks that the length of a dense array is below that threshold, and also
fail fast if a length that is provided obviously could not be the correct dense
length (because there isn't enough data left in the buffer to populate such an
array).

BUG=chromium:148757

Review-Url: https://codereview.chromium.org/2399873002
Cr-Commit-Position: refs/heads/master@{#40094}

0004733c

Name	Last commit	Last update
..
benchmarks		Loading commit data...
cctest		Loading commit data...
common		Loading commit data...
fuzzer		Loading commit data...
inspector		Loading commit data...
inspector_protocol_parser_test		Loading commit data...
intl		Loading commit data...
js-perf-test		Loading commit data...
memory		Loading commit data...
message		Loading commit data...
mjsunit		Loading commit data...
mozilla		Loading commit data...
preparser		Loading commit data...
promises-aplus		Loading commit data...
simdjs		Loading commit data...
test262		Loading commit data...
unittests		Loading commit data...
webkit		Loading commit data...
BUILD.gn		Loading commit data...
bot_default.gyp		Loading commit data...
bot_default.isolate		Loading commit data...
default.gyp		Loading commit data...
default.isolate		Loading commit data...
optimize_for_size.gyp		Loading commit data...
optimize_for_size.isolate		Loading commit data...
perf.gyp		Loading commit data...
perf.isolate		Loading commit data...