Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

typed arrays: fix 32 bit size/index overflow

Fix an out-of-bound read/write bug due to integer wrapping. Reported by
Dean McNamee.
  • Loading branch information...
commit ed825f488867d7586bee6ca4feb5fe5b0461775e 1 parent aa742dd
@bnoordhuis bnoordhuis authored
Showing with 23 additions and 6 deletions.
  1. +13 −6 src/v8_typed_array.cc
  2. +10 −0 test/simple/test-typed-arrays.js
View
19 src/v8_typed_array.cc
@@ -21,6 +21,7 @@
#include <stdlib.h> // calloc, etc
#include <string.h> // memmove
+#include <stdint.h>
#include "v8_typed_array.h"
#include "node_buffer.h"
@@ -722,11 +723,14 @@ class DataView {
// TODO(deanm): All of these things should be cacheable.
int element_size = SizeOfArrayElementForType(
args.This()->GetIndexedPropertiesExternalArrayDataType());
- int size = args.This()->GetIndexedPropertiesExternalArrayDataLength() *
- element_size;
+ assert(element_size > 0);
+ int size = args.This()->GetIndexedPropertiesExternalArrayDataLength();
+ assert(size >= 0);
- if (index + sizeof(T) > (unsigned)size) // TODO(deanm): integer overflow.
+ if (static_cast<uint64_t>(index) + sizeof(T) >
+ static_cast<uint64_t>(size) * element_size) {
return ThrowError("Index out of range.");
+ }
void* ptr = args.This()->GetIndexedPropertiesExternalArrayData();
return cTypeToValue<T>(getValue<T>(ptr, index, !little_endian));
@@ -742,11 +746,14 @@ class DataView {
// TODO(deanm): All of these things should be cacheable.
int element_size = SizeOfArrayElementForType(
args.This()->GetIndexedPropertiesExternalArrayDataType());
- int size = args.This()->GetIndexedPropertiesExternalArrayDataLength() *
- element_size;
+ assert(element_size > 0);
+ int size = args.This()->GetIndexedPropertiesExternalArrayDataLength();
+ assert(size >= 0);
- if (index + sizeof(T) > (unsigned)size) // TODO(deanm): integer overflow.
+ if (static_cast<uint64_t>(index) + sizeof(T) >
+ static_cast<uint64_t>(size) * element_size) {
return ThrowError("Index out of range.");
+ }
void* ptr = args.This()->GetIndexedPropertiesExternalArrayData();
setValue<T>(ptr, index, valueToCType<T>(args[1]), !little_endian);
View
10 test/simple/test-typed-arrays.js
@@ -182,3 +182,13 @@ assert.equal(uint8c[1], 255);
var view = new DataView(array.buffer);
for (var i = 128; i <= 255; ++i) assert.equal(view.getInt8(i - 128), i - 256);
})();
+
+assert.throws(function() {
+ var buf = new DataView(new ArrayBuffer(8));
+ buf.getFloat64(0xffffffff, true);
+}, /Index out of range/);
+
+assert.throws(function() {
+ var buf = new DataView(new ArrayBuffer(8));
+ buf.setFloat64(0xffffffff, 0.0, true);
+}, /Index out of range/);
Please sign in to comment.
Something went wrong with that request. Please try again.