mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1425612 - Better error messages for invalid structured clone data. r=sfink, a=abillings. 

--HG--
extra : rebase_source : 66e28aa6cc6172eb9bbb06c1b8fc934ef80e721d
extra : source : 462f41ca6771fa573e6550509e78dddc8bd8d102
This commit is contained in:
Jason Orendorff 2017-12-16 07:16:26 -06:00
Родитель b62884603e
Коммит 63a5e2d4e7
1 изменённых файлов: 39 добавлений и 4 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

43
js/src/vm/StructuredClone.cpp
Просмотреть файл

@ -1916,6 +1916,12 @@ JSStructuredCloneReader::readTypedArray(uint32_t arrayType, uint32_t nelems, Mut
return false;
byteOffset = n;
}
if (!v.isObject() || !v.toObject().is<ArrayBufferObject>()) {
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
"typed array must be backed by an ArrayBuffer");
return false;
}
RootedObject buffer(context(), &v.toObject());
RootedObject obj(context(), nullptr);
@ -1973,6 +1979,11 @@ JSStructuredCloneReader::readDataView(uint32_t byteLength, MutableHandleValue vp
RootedValue v(context());
if (!startRead(&v))
return false;
if (!v.isObject() || !v.toObject().is<ArrayBufferObject>()) {
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
"DataView must be backed by an ArrayBuffer");
return false;
}
// Read byteOffset.
uint64_t n;
@ -2028,8 +2039,11 @@ JSStructuredCloneReader::readSharedArrayBuffer(uint32_t nbytes, MutableHandleVal
// We must not transfer buffer pointers cross-process. The cloneDataPolicy
// in the sender should guard against this; check that it does.
MOZ_RELEASE_ASSERT(storedScope <= JS::StructuredCloneScope::SameProcessDifferentThread);
if (storedScope > JS::StructuredCloneScope::SameProcessDifferentThread) {
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
"can't transfer SharedArrayBuffer cross-process");
return false;
}
// The new object will have a new reference to the rawbuf.
@ -2051,7 +2065,11 @@ JSStructuredCloneReader::readSharedArrayBuffer(uint32_t nbytes, MutableHandleVal
bool
JSStructuredCloneReader::readSharedWasmMemory(uint32_t nbytes, MutableHandleValue vp)
{
MOZ_ASSERT(nbytes == 0);
if (nbytes != 0) {
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
"invalid shared wasm memory tag");
return false;
}
JSContext* cx = context();
@ -2059,6 +2077,11 @@ JSStructuredCloneReader::readSharedWasmMemory(uint32_t nbytes, MutableHandleValu
RootedValue payload(cx);
if (!startRead(&payload))
return false;
if (!payload.isObject() || !payload.toObject().is<SharedArrayBufferObject>()) {
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
"shared wasm memory must be backed by a SharedArrayBuffer");
return false;
}
Rooted<ArrayBufferObjectMaybeShared*> sab(
cx, &payload.toObject().as<SharedArrayBufferObject>());
@ -2081,7 +2104,11 @@ bool
JSStructuredCloneReader::readV1ArrayBuffer(uint32_t arrayType, uint32_t nelems,
MutableHandleValue vp)
{
MOZ_ASSERT(arrayType <= Scalar::Uint8Clamped);
if (arrayType > Scalar::Uint8Clamped) {
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
"invalid TypedArray type");
return false;
}
mozilla::CheckedInt<size_t> nbytes =
mozilla::CheckedInt<size_t>(nelems) *
@ -2353,6 +2380,14 @@ JSStructuredCloneReader::readHeader()
}
MOZ_ALWAYS_TRUE(in.readPair(&tag, &data));
if (data != uint32_t(JS::StructuredCloneScope::SameProcessSameThread) &&
data != uint32_t(JS::StructuredCloneScope::SameProcessDifferentThread) &&
data != uint32_t(JS::StructuredCloneScope::DifferentProcess))
{
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
"invalid structured clone scope");
return false;
}
storedScope = JS::StructuredCloneScope(data);
if (storedScope < allowedScope) {
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,