/ecma262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TypedArray constructor reads bufferByteLength too early #842

Closed
psmarshall opened this Issue Mar 9, 2017 · 2 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@psmarshall @littledan
@psmarshall

psmarshall commented Mar 9, 2017

In 22.2.4.5 TypedArray ( buffer [ , byteOffset [ , length ] ] ):

In step 9, we store the value of the byte length of the buffer.
9. Let bufferByteLength be buffer.[[ArrayBufferByteLength]].

In step 11.a, we can end up in user-code via ToIndex.
11.a. Let newLength be ? ToIndex(length).

In step 11.c, we use the value of bufferByteLength from step 9 -- which could be totally incorrect now, as 11.a could have neutered the buffer.
11.c. If offset + newByteLength > bufferByteLength, throw a RangeError exception.

If an implementation followed this, it could result in (quite bad) security issues.
@littledan

This comment has been minimized.

Show comment
Hide comment
@littledan

littledan Mar 18, 2017

Member

I see how this behavior is not what you'd expect--we should probably be doing all conversions before the detached check so that this check can catch as many cases as possible. But I don't see the security issue. A later indexed property access would simply find the underlying ArrayBuffer detached and throw (modulo #678), wouldn't it?
Member

littledan commented Mar 18, 2017

I see how this behavior is not what you'd expect--we should probably be doing all conversions before the detached check so that this check can catch as many cases as possible. But I don't see the security issue. A later indexed property access would simply find the underlying ArrayBuffer detached and throw (modulo #678), wouldn't it?

littledan added a commit to littledan/ecma262 that referenced this issue Mar 18, 2017

@littledan
Normative: Swap side effect and check in TypedArray constructor 
Previously, in one of the TypedArray constructor paths, an ArrayBuffer
was checked for being detached, and then a ToIndex calculation is done.
Because ToIndex may detach the ArrayBuffer itself, this patch moves
the detached check to afterwards, so that it can include that possible
time when the ArrayBuffer may be detached.

Closes tc39#842
a8aaecc

@littledan littledan referenced this issue Mar 18, 2017

Merged

Normative: Swap side effect and check in TypedArray constructor #852

@psmarshall

This comment has been minimized.

Show comment
Hide comment
@psmarshall

psmarshall Mar 22, 2017

Yes that's true, as long as the property accesses check for detached ArrayBuffer, this won't cause a security problem

psmarshall commented Mar 22, 2017

Yes that's true, as long as the property accesses check for detached ArrayBuffer, this won't cause a security problem

@bterlson bterlson closed this in #852 Mar 31, 2017

bterlson added a commit that referenced this issue Mar 31, 2017

@littledan @bterlson
Normative: Swap side effect and check in TypedArray constructor (#852) 
Previously, in one of the TypedArray constructor paths, an ArrayBuffer
was checked for being detached, and then a ToIndex calculation is done.
Because ToIndex may detach the ArrayBuffer itself, this patch moves
the detached check to afterwards, so that it can include that possible
time when the ArrayBuffer may be detached.

Closes #842
eec4f33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment