Title: [129424] trunk/Source/WebCore
- Revision
- 129424
- Author
- k...@google.com
- Date
- 2012-09-24 15:18:04 -0700 (Mon, 24 Sep 2012)
Log Message
[V8] ArrayBuffer code should not pass a negative length to SetIndexedPropertiesToExternalArrayData()
https://bugs.webkit.org/show_bug.cgi?id=96703
Reviewed by Adam Barth.
Check length arguments that may be passed to SetIndexedPropertiesToExternalArrayData.
No tests because it is not guaranteed that buffers this large can actually be allocated.
* bindings/v8/custom/V8ArrayBufferViewCustom.h:
(WebCore::wrapArrayBufferView):
(WebCore::constructWebGLArrayWithArrayBufferArgument):
(WebCore::constructWebGLArray):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (129423 => 129424)
--- trunk/Source/WebCore/ChangeLog 2012-09-24 22:14:47 UTC (rev 129423)
+++ trunk/Source/WebCore/ChangeLog 2012-09-24 22:18:04 UTC (rev 129424)
@@ -1,3 +1,19 @@
+2012-09-21 Kenneth Russell <k...@google.com>
+
+ [V8] ArrayBuffer code should not pass a negative length to SetIndexedPropertiesToExternalArrayData()
+ https://bugs.webkit.org/show_bug.cgi?id=96703
+
+ Reviewed by Adam Barth.
+
+ Check length arguments that may be passed to SetIndexedPropertiesToExternalArrayData.
+
+ No tests because it is not guaranteed that buffers this large can actually be allocated.
+
+ * bindings/v8/custom/V8ArrayBufferViewCustom.h:
+ (WebCore::wrapArrayBufferView):
+ (WebCore::constructWebGLArrayWithArrayBufferArgument):
+ (WebCore::constructWebGLArray):
+
2012-09-24 Antti Koivisto <an...@apple.com>
Split stylesheet related code out from Document
Modified: trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h (129423 => 129424)
--- trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h 2012-09-24 22:14:47 UTC (rev 129423)
+++ trunk/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h 2012-09-24 22:18:04 UTC (rev 129424)
@@ -52,6 +52,7 @@
{
// Transform the holder into a wrapper object for the array.
V8DOMWrapper::setDOMWrapper(args.Holder(), type, array.get());
+ ASSERT(!hasIndexer || static_cast<int32_t>(array.get()->length()) >= 0);
if (hasIndexer)
args.Holder()->SetIndexedPropertiesToExternalArrayData(array.get()->baseAddress(), arrayType, array.get()->length());
v8::Handle<v8::Object> wrapper = args.Holder();
@@ -85,6 +86,10 @@
return throwError(RangeError, "ArrayBuffer length minus the byteOffset is not a multiple of the element size.", args.GetIsolate());
length = (buf->byteLength() - offset) / sizeof(ElementType);
}
+
+ if (static_cast<int32_t>(length) < 0)
+ return throwError(RangeError, tooLargeSize, args.GetIsolate());
+
RefPtr<ArrayClass> array = ArrayClass::create(buf, offset, length);
if (!array)
return throwError(RangeError, tooLargeSize, args.GetIsolate());
@@ -143,6 +148,10 @@
if (_javascript_WrapperArrayType::HasInstance(args[0])) {
ArrayClass* source = _javascript_WrapperArrayType::toNative(args[0]->ToObject());
uint32_t length = source->length();
+
+ if (static_cast<int32_t>(length) < 0)
+ return throwError(RangeError, tooLargeSize, args.GetIsolate());
+
RefPtr<ArrayClass> array = ArrayClass::createUninitialized(length);
if (!array.get())
return throwError(RangeError, tooLargeSize, args.GetIsolate());
@@ -174,6 +183,9 @@
}
}
+ if (static_cast<int32_t>(len) < 0)
+ return throwError(RangeError, tooLargeSize, args.GetIsolate());
+
RefPtr<ArrayClass> array;
if (doInstantiation) {
if (srcArray.IsEmpty())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
