[webkit-reviews] review requested: [Bug 231975] JSGenericTypedArrayView<Adaptor>::set crashes if the length + objectOffset is > UINT32_MAX : [Attachment 442197] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 22 14:01:52 PDT 2021
Robin Morisset <rmorisset at apple.com> has asked for review:
Bug 231975: JSGenericTypedArrayView<Adaptor>::set crashes if the length +
objectOffset is > UINT32_MAX
https://bugs.webkit.org/show_bug.cgi?id=231975
Attachment 442197: Patch
https://bugs.webkit.org/attachment.cgi?id=442197&action=review
--- Comment #8 from Robin Morisset <rmorisset at apple.com> ---
Created attachment 442197
--> https://bugs.webkit.org/attachment.cgi?id=442197&action=review
Patch
Fixed: I had changed an int into a size_t, and the code was relying on it being
decremented until it no longer compared >= 0.
More information about the webkit-reviews
mailing list