Bug 1571911: avoid uint32_t overflow in js shell by checking size of Uint8Array allocation for file buffer. r=jandem

Differential Revision: https://phabricator.services.mozilla.com/D43165

--HG--
extra : moz-landing-system : lando

js/src/shell/OSObject.cpp

@@ -197,6 +197,11 @@ JSObject* FileAsTypedArray(JSContext* cx, JS::HandleString pathnameStr) {
       }
       JS_ReportErrorUTF8(cx, "can't seek start of %s", pathname.get());
     } else {
+      if (len > ArrayBufferObject::MaxBufferByteLength) {
+        JS_ReportErrorUTF8(cx, "file %s is too large for a Uint8Array",
+                           pathname.get());
+        return nullptr;
+      }
       obj = JS_NewUint8Array(cx, len);
       if (!obj) {
         return nullptr;