Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CloneDeserializer::readBigInt() should check for overflow when reifyi…
…ng JSBigInt length on 32-bit platforms. https://bugs.webkit.org/show_bug.cgi?id=260822 rdar://114547822 Reviewed by Chris Dumez. The serialized length is a number of Uint64 elements. On 32-bit platforms, this length gets multiplied by 2 in order to compute the actual length of the backing store to re-construct the JSBigInt. Both the transmitted length and the JSBigInt length is stored as uint32_t. Hence, the 2x multiplication can theoretically result in an overflow. This patch adds an overflow check to handle this edge case. Also renamed lengthInUint64 to numberOfUint64Elements. lengthInUint64 can be misread to mean a length stored as a uint64_t value, which is not what it actually means. The length value is store in a uint32_t, and is a count of the number of uint64_t sized elements. * Source/WebCore/bindings/js/SerializedScriptValue.cpp: (WebCore::CloneSerializer::dumpHeapBigIntData): (WebCore::CloneDeserializer::readBigInt): Originally-landed-as: 265870.467@safari-7616-branch (1f9e212). rdar://117809900 Canonical link: https://commits.webkit.org/270127@main
- Loading branch information