From 63a5e2d4e76e21a3d6a652b30f3a318284d7707c Mon Sep 17 00:00:00 2001
From: Jason Orendorff <jorendorff@mozilla.com>
Date: Sat, 16 Dec 2017 07:16:26 -0600
Subject: [PATCH] Bug 1425612 - Better error messages for invalid structured
 clone data. r=sfink, a=abillings.

--HG--
extra : rebase_source : 66e28aa6cc6172eb9bbb06c1b8fc934ef80e721d
extra : source : 462f41ca6771fa573e6550509e78dddc8bd8d102
---
 js/src/vm/StructuredClone.cpp | 43 +++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 4 deletions(-)

diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
index 6fe93473299d..ecc05612007f 100644
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -1916,6 +1916,12 @@ JSStructuredCloneReader::readTypedArray(uint32_t arrayType, uint32_t nelems, Mut
             return false;
         byteOffset = n;
     }
+    if (!v.isObject() || !v.toObject().is<ArrayBufferObject>()) {
+        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "typed array must be backed by an ArrayBuffer");
+        return false;
+    }
+
     RootedObject buffer(context(), &v.toObject());
     RootedObject obj(context(), nullptr);
 
@@ -1973,6 +1979,11 @@ JSStructuredCloneReader::readDataView(uint32_t byteLength, MutableHandleValue vp
     RootedValue v(context());
     if (!startRead(&v))
         return false;
+    if (!v.isObject() || !v.toObject().is<ArrayBufferObject>()) {
+        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "DataView must be backed by an ArrayBuffer");
+        return false;
+    }
 
     // Read byteOffset.
     uint64_t n;
@@ -2028,8 +2039,11 @@ JSStructuredCloneReader::readSharedArrayBuffer(uint32_t nbytes, MutableHandleVal
 
     // We must not transfer buffer pointers cross-process.  The cloneDataPolicy
     // in the sender should guard against this; check that it does.
-
-    MOZ_RELEASE_ASSERT(storedScope <= JS::StructuredCloneScope::SameProcessDifferentThread);
+    if (storedScope > JS::StructuredCloneScope::SameProcessDifferentThread) {
+        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "can't transfer SharedArrayBuffer cross-process");
+        return false;
+    }
 
     // The new object will have a new reference to the rawbuf.
 
@@ -2051,7 +2065,11 @@ JSStructuredCloneReader::readSharedArrayBuffer(uint32_t nbytes, MutableHandleVal
 bool
 JSStructuredCloneReader::readSharedWasmMemory(uint32_t nbytes, MutableHandleValue vp)
 {
-    MOZ_ASSERT(nbytes == 0);
+    if (nbytes != 0) {
+        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "invalid shared wasm memory tag");
+        return false;
+    }
 
     JSContext* cx = context();
 
@@ -2059,6 +2077,11 @@ JSStructuredCloneReader::readSharedWasmMemory(uint32_t nbytes, MutableHandleValu
     RootedValue payload(cx);
     if (!startRead(&payload))
         return false;
+    if (!payload.isObject() || !payload.toObject().is<SharedArrayBufferObject>()) {
+        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "shared wasm memory must be backed by a SharedArrayBuffer");
+        return false;
+    }
 
     Rooted<ArrayBufferObjectMaybeShared*> sab(
         cx, &payload.toObject().as<SharedArrayBufferObject>());
@@ -2081,7 +2104,11 @@ bool
 JSStructuredCloneReader::readV1ArrayBuffer(uint32_t arrayType, uint32_t nelems,
                                            MutableHandleValue vp)
 {
-    MOZ_ASSERT(arrayType <= Scalar::Uint8Clamped);
+    if (arrayType > Scalar::Uint8Clamped) {
+        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "invalid TypedArray type");
+        return false;
+    }
 
     mozilla::CheckedInt<size_t> nbytes =
         mozilla::CheckedInt<size_t>(nelems) *
@@ -2353,6 +2380,14 @@ JSStructuredCloneReader::readHeader()
     }
 
     MOZ_ALWAYS_TRUE(in.readPair(&tag, &data));
+    if (data != uint32_t(JS::StructuredCloneScope::SameProcessSameThread) &&
+        data != uint32_t(JS::StructuredCloneScope::SameProcessDifferentThread) &&
+        data != uint32_t(JS::StructuredCloneScope::DifferentProcess))
+    {
+        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "invalid structured clone scope");
+        return false;
+    }
     storedScope = JS::StructuredCloneScope(data);
     if (storedScope < allowedScope) {
         JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,