Permalink
Browse files

TypedArrays: Fix size/index overflow on 32-bit.

On 64-bit, the calculation is promoted to a 64-bit int.  However on 32-bit the
int will be 32-bit and the index + size calculation can overflow.  Rearrange
the math to prevent overflow and add a few more checks for additional safety.
The size should never be less than 0, for example, but we check anyway.
  • Loading branch information...
1 parent a203899 commit a6781cc7af0e3c2168cbda9e8cbbb35468f7a7d0 @deanm committed Jan 9, 2013
Showing with 6 additions and 4 deletions.
  1. +6 −4 src/v8_typed_array.cc
View
@@ -664,9 +664,10 @@ class DataView {
int size = args.This()->GetIndexedPropertiesExternalArrayDataLength() *
element_size;
- // TODO(deanm): integer overflow.
- if (index + sizeof(T) > static_cast<unsigned int>(size))
+ if (size <= 0 || static_cast<unsigned int>(size) < sizeof(T) ||
+ index > static_cast<unsigned int>(size) - sizeof(T)) {
return ThrowError("IndexSizeError: DOM Exception 1");
+ }
void* ptr = reinterpret_cast<char*>(
args.This()->GetIndexedPropertiesExternalArrayData()) + index;
@@ -697,9 +698,10 @@ class DataView {
int size = args.This()->GetIndexedPropertiesExternalArrayDataLength() *
element_size;
- // TODO(deanm): integer overflow.
- if (index + sizeof(T) > static_cast<unsigned int>(size))
+ if (size <= 0 || static_cast<unsigned int>(size) < sizeof(T) ||
+ index > static_cast<unsigned int>(size) - sizeof(T)) {
return ThrowError("IndexSizeError: DOM Exception 1");
+ }
void* ptr = reinterpret_cast<char*>(
args.This()->GetIndexedPropertiesExternalArrayData()) + index;

0 comments on commit a6781cc

Please sign in to comment.