• jbroman's avatar
    ValueSerializer: Add more checks before trying to allocate memory for a dense array. · 0004733c
    jbroman authored
    Found with libfuzzer. The length is automatically converted to int (thus
    large sizes could become negative, even though they are legal "array sizes").
    Besides that, the length is coerced to a SMI (which is an even tighter
    constraint on 32-bit systems, where it limits the legal sizes to 2^30 - 1).
    
    Add checks that the length of a dense array is below that threshold, and also
    fail fast if a length that is provided obviously could not be the correct dense
    length (because there isn't enough data left in the buffer to populate such an
    array).
    
    BUG=chromium:148757
    
    Review-Url: https://codereview.chromium.org/2399873002
    Cr-Commit-Position: refs/heads/master@{#40094}
    0004733c
Name
Last commit
Last update
..
base Loading commit data...
compiler Loading commit data...
compiler-dispatcher Loading commit data...
heap Loading commit data...
interpreter Loading commit data...
libplatform Loading commit data...
wasm Loading commit data...
BUILD.gn Loading commit data...
DEPS Loading commit data...
cancelable-tasks-unittest.cc Loading commit data...
char-predicates-unittest.cc Loading commit data...
counters-unittest.cc Loading commit data...
eh-frame-iterator-unittest.cc Loading commit data...
eh-frame-writer-unittest.cc Loading commit data...
locked-queue-unittest.cc Loading commit data...
register-configuration-unittest.cc Loading commit data...
run-all-unittests.cc Loading commit data...
source-position-table-unittest.cc Loading commit data...
test-utils.cc Loading commit data...
test-utils.h Loading commit data...
unittests.gyp Loading commit data...
unittests.isolate Loading commit data...
unittests.status Loading commit data...
value-serializer-unittest.cc Loading commit data...