Ladybird/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-06-09 09:34:57 +09:00
Code Activity

LibJS: Fix integer overflow in target_offset of TypedArray.set()

Browse source
This commit is contained in:
Jess 2025-03-21 07:04:26 +13:00 committed by Jelle Raaijmakers
parent dc83f3375c
commit f3a937ee76
Notes: github-actions[bot] 2025-03-25 07:46:40 +00:00
2 changed files with 26 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

12
Libraries/LibJS/Runtime/TypedArrayPrototype.cpp
View file

@ -1433,7 +1433,11 @@ static ThrowCompletionOr<void> set_typed_array_from_typed_array(VM& vm, TypedArr
// 16. If srcLength + targetOffset > targetLength, throw a RangeError exception. // 16. If srcLength + targetOffset > targetLength, throw a RangeError exception.
Checked<size_t> checked = source_length; Checked<size_t> checked = source_length;
checked += static_cast<u32>(target_offset);
if (target_offset > static_cast<double>(NumericLimits<size_t>::max()))
return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target offset");
checked += static_cast<size_t>(target_offset);
if (checked.has_overflow() || checked.value() > target_length) if (checked.has_overflow() || checked.value() > target_length)
return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target length"); return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target length");
@ -1539,7 +1543,11 @@ static ThrowCompletionOr<void> set_typed_array_from_array_like(VM& vm, TypedArra
// 7. If srcLength + targetOffset > targetLength, throw a RangeError exception. // 7. If srcLength + targetOffset > targetLength, throw a RangeError exception.
Checked<size_t> checked = source_length; Checked<size_t> checked = source_length;
checked += static_cast<u32>(target_offset);
if (target_offset > static_cast<double>(NumericLimits<size_t>::max()))
return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target offset");
checked += static_cast<size_t>(target_offset);
if (checked.has_overflow() || checked.value() > target_length) if (checked.has_overflow() || checked.value() > target_length)
return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target length"); return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target length");

16
Libraries/LibJS/Tests/builtins/TypedArray/TypedArray.prototype.set.js
View file

@ -146,3 +146,19 @@ test("detached buffer", () => {
expect(typedArray.length).toBe(0); expect(typedArray.length).toBe(0);
}); });
}); });
test("very large targetOffset", () => {
TYPED_ARRAYS.forEach(({ array: T }) => {
let typedArray = new T();
expect(() => {
// set_typed_array_from_typed_array
typedArray.set(typedArray, 2 ** 128);
}).toThrowWithMessage(RangeError, "Overflow or out of bounds in target offset");
expect(() => {
// set_typed_array_from_array_like
typedArray.set([], 2 ** 128);
}).toThrowWithMessage(RangeError, "Overflow or out of bounds in target offset");
});
});