Skip to content
Permalink
Browse files
[JSC] Fix ResizableArrayBuffer + lastIndexOf
https://bugs.webkit.org/show_bug.cgi?id=249676
rdar://103531814

Reviewed by Justin Michaud.

When evaluating the valueOf of the input, resizable arraybuffer can get 0 length, thus,
we need to assume that length can become zero. This patch fixes this crash issue.
This is actually not a security issue because of how resizable arraybuffer is designed:
it reserves maximum size VM region and use mprotect to allow access based on the current
size. So, only possible outcome here is crash.

* JSTests/stress/resizable-array-buffer-last-index-of.js: Added.
(evil.valueOf):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncLastIndexOf):

Canonical link: https://commits.webkit.org/258164@main
  • Loading branch information
Constellation committed Dec 20, 2022
1 parent 6896e90 commit 4a35ca3f1e129f50ea7eca5ca070432c7d29347a
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
@@ -0,0 +1,12 @@
const rab = new ArrayBuffer(50, {
"maxByteLength": 100
});
const ta = new Int8Array(rab);
const evil = {};

evil.valueOf = function () {
rab.resize(0);
return 5;
};

ta.lastIndexOf(1, evil);
@@ -602,6 +602,8 @@ ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncLastIndexOf(VM& vm, J
return JSValue::encode(jsNumber(-1));

length = lengthValue.value();
if (!length)
return JSValue::encode(jsNumber(-1));
index = std::min(length - 1, index);
}

0 comments on commit 4a35ca3

Please sign in to comment.