Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upTypedArray constructor reads bufferByteLength too early #842
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
littledan
Mar 18, 2017
Member
I see how this behavior is not what you'd expect--we should probably be doing all conversions before the detached check so that this check can catch as many cases as possible. But I don't see the security issue. A later indexed property access would simply find the underlying ArrayBuffer detached and throw (modulo #678), wouldn't it?
|
I see how this behavior is not what you'd expect--we should probably be doing all conversions before the detached check so that this check can catch as many cases as possible. But I don't see the security issue. A later indexed property access would simply find the underlying ArrayBuffer detached and throw (modulo #678), wouldn't it? |
added a commit
to littledan/ecma262
that referenced
this issue
Mar 18, 2017
littledan
referenced this issue
Mar 18, 2017
Merged
Normative: Swap side effect and check in TypedArray constructor #852
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
psmarshall
Mar 22, 2017
Yes that's true, as long as the property accesses check for detached ArrayBuffer, this won't cause a security problem
psmarshall
commented
Mar 22, 2017
|
Yes that's true, as long as the property accesses check for detached ArrayBuffer, this won't cause a security problem |
psmarshall commentedMar 9, 2017
In 22.2.4.5 TypedArray ( buffer [ , byteOffset [ , length ] ] ):
In step 9, we store the value of the byte length of the buffer.
9. Let bufferByteLength be buffer.[[ArrayBufferByteLength]].In step 11.a, we can end up in user-code via ToIndex.
11.a. Let newLength be ? ToIndex(length).In step 11.c, we use the value of bufferByteLength from step 9 -- which could be totally incorrect now, as 11.a could have neutered the buffer.
11.c. If offset + newByteLength > bufferByteLength, throw a RangeError exception.If an implementation followed this, it could result in (quite bad) security issues.