Skip to content
Browse files
[JSC] Fix ResizableArrayBuffer + lastIndexOf

Reviewed by Justin Michaud.

When evaluating the valueOf of the input, resizable arraybuffer can get 0 length, thus,
we need to assume that length can become zero. This patch fixes this crash issue.
This is actually not a security issue because of how resizable arraybuffer is designed:
it reserves maximum size VM region and use mprotect to allow access based on the current
size. So, only possible outcome here is crash.

* JSTests/stress/resizable-array-buffer-last-index-of.js: Added.
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:

Canonical link:
  • Loading branch information
Constellation committed Dec 20, 2022
1 parent 6896e90 commit 4a35ca3f1e129f50ea7eca5ca070432c7d29347a
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
@@ -0,0 +1,12 @@
const rab = new ArrayBuffer(50, {
"maxByteLength": 100
const ta = new Int8Array(rab);
const evil = {};

evil.valueOf = function () {
return 5;

ta.lastIndexOf(1, evil);
@@ -602,6 +602,8 @@ ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncLastIndexOf(VM& vm, J
return JSValue::encode(jsNumber(-1));

length = lengthValue.value();
if (!length)
return JSValue::encode(jsNumber(-1));
index = std::min(length - 1, index);

0 comments on commit 4a35ca3

Please sign in to comment.