mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1068458 - Limit SharedArrayBuffer and SharedTypedArray to INT32_MAX bytes. r=waldo

This commit is contained in:
Lars T Hansen 2014-09-20 12:12:06 +02:00
Родитель c5500b85df
Коммит 1839b19b76
3 изменённых файлов: 33 добавлений и 11 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

14
js/src/jit-test/tests/sharedbuf/bug1068458-toolong.js Normal file
Просмотреть файл

@ -0,0 +1,14 @@
// This used to assert, now it will throw because the limit
// (in bytes) on a SharedArrayBuffer is INT32_MAX.
if (!this.SharedUint16Array)
quit();
var thrown = false;
try {
new SharedUint16Array(2147483647);
}
catch (e) {
thrown = true;
}
assertEq(thrown, true);

15
js/src/vm/SharedArrayObject.cpp
Просмотреть файл

@ -198,7 +198,8 @@ SharedArrayBufferObject::class_constructor(JSContext *cx, unsigned argc, Value *
uint32_t length;
bool overflow;
if (!ToLengthClamped(cx, args.get(0), &length, &overflow)) {
if (overflow)
// Bug 1068458: Limit length to 2^31-1.
if (overflow || length > INT32_MAX)
JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_SHARED_ARRAY_BAD_LENGTH);
return false;
}
@ -214,10 +215,14 @@ SharedArrayBufferObject *
SharedArrayBufferObject::New(JSContext *cx, uint32_t length)
{
if (!IsValidAsmJSHeapLength(length)) {
ScopedJSFreePtr<char> msg(
JS_smprintf("SharedArrayBuffer byteLength 0x%x is not a valid length. The next valid "
"length is 0x%x", length, RoundUpToNextValidAsmJSHeapLength(length)));
JS_ReportError(cx, msg.get());
mozilla::UniquePtr<char[], JS::FreePolicy> msg;
if (length > INT32_MAX)
msg.reset(JS_smprintf("SharedArrayBuffer byteLength 0x%x is too large", length));
else
msg.reset(JS_smprintf("SharedArrayBuffer byteLength 0x%x is not a valid length. The next valid "
"length is 0x%x", length, RoundUpToNextValidAsmJSHeapLength(length)));
if (msg)
JS_ReportError(cx, msg.get());
return nullptr;
}

15
js/src/vm/SharedTypedArrayObject.cpp
Просмотреть файл

@ -87,9 +87,10 @@ class SharedTypedArrayObjectTemplate : public SharedTypedArrayObject
// A value that signifies that we should use the buffer up to the end.
static const uint32_t LENGTH_NOT_PROVIDED = (uint32_t)-1;
// This is the max implementation value of 'length': 2^32-2.
// The value 2^32-1 is reserved for LENGTH_NOT_PROVIDED.
static const uint32_t MAX_LENGTH = 0xFFFFFFFEU;
// This is the max implementation value of 'length': 2^31-1.
// The reason it is not 2^32-2 is due to Bug 1068458: most of the
// TypedArray code limits the length to INT32_MAX.
static const uint32_t MAX_LENGTH = INT32_MAX;
// This is the max value of 'byteOffset': one below the length.
static const uint32_t MAX_BYTEOFFSET = MAX_LENGTH - 1;
@ -275,7 +276,8 @@ class SharedTypedArrayObjectTemplate : public SharedTypedArrayObject
uint32_t length;
bool overflow;
if (!ToLengthClamped(cx, args[0], &length, &overflow)) {
if (overflow)
// Bug 1068458: Limit length to 2^31-1.
if (overflow || length > INT32_MAX)
JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr, JSMSG_BAD_ARRAY_LENGTH);
return nullptr;
}
@ -307,7 +309,8 @@ class SharedTypedArrayObjectTemplate : public SharedTypedArrayObject
if (args.length() > 2) {
bool overflow;
if (!ToLengthClamped(cx, args[2], &length, &overflow)) {
if (overflow)
// Bug 1068458: Limit length to 2^31-1.
if (overflow || length > INT32_MAX)
JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr,
JSMSG_SHARED_TYPED_ARRAY_ARG_RANGE, "'length'");
return nullptr;
@ -323,7 +326,7 @@ class SharedTypedArrayObjectTemplate : public SharedTypedArrayObject
{
if (nelements > MAX_LENGTH / sizeof(NativeType)) {
JS_ReportErrorNumber(cx, js_GetErrorMessage, nullptr,
JSMSG_NEED_DIET, "size and count");
JSMSG_NEED_DIET, "shared typed array");
return false;
}
buffer.set(SharedArrayBufferObject::New(cx, nelements * sizeof(NativeType)));