[JSC] Fix ResizableArrayBuffer + lastIndexOf

https://bugs.webkit.org/show_bug.cgi?id=249676 rdar://103531814 Reviewed by Justin Michaud. When evaluating the valueOf of the input, resizable arraybuffer can get 0 length, thus, we need to assume that length can become zero. This patch fixes this crash issue. This is actually not a security issue because of how resizable arraybuffer is designed: it reserves maximum size VM region and use mprotect to allow access based on the current size. So, only possible outcome here is crash. * JSTests/stress/resizable-array-buffer-last-index-of.js: Added. (evil.valueOf): * Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h: (JSC::genericTypedArrayViewProtoFuncLastIndexOf): Canonical link: https://commits.webkit.org/258164@main
WebKit · Dec 20, 2022 · 4a35ca3f1e129f50ea7eca5ca070432c7d29347a · 4a35ca3
1 parent 6896e90
commit 4a35ca3f1e129f50ea7eca5ca070432c7d29347a
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/JSTests/stress/resizable-array-buffer-last-index-of.js b/JSTests/stress/resizable-array-buffer-last-index-of.js
@@ -0,0 +1,12 @@
+const rab = new ArrayBuffer(50, {
+  "maxByteLength": 100
+});
+const ta = new Int8Array(rab);
+const evil = {};
+
+evil.valueOf = function () {
+  rab.resize(0);
+  return 5;
+};
+
+ta.lastIndexOf(1, evil);
diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
@@ -602,6 +602,8 @@ ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncLastIndexOf(VM& vm, J
             return JSValue::encode(jsNumber(-1));
 
         length = lengthValue.value();
+        if (!length)
+            return JSValue::encode(jsNumber(-1));
         index = std::min(length - 1, index);
     }