[webkit-reviews] review requested: [Bug 231975] JSGenericTypedArrayView<Adaptor>::set crashes if the length + objectOffset is > UINT32_MAX : [Attachment 442234] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 22 17:56:46 PDT 2021
Robin Morisset <rmorisset at apple.com> has asked for review:
Bug 231975: JSGenericTypedArrayView<Adaptor>::set crashes if the length +
objectOffset is > UINT32_MAX
https://bugs.webkit.org/show_bug.cgi?id=231975
Attachment 442234: Patch
https://bugs.webkit.org/attachment.cgi?id=442234&action=review
--- Comment #9 from Robin Morisset <rmorisset at apple.com> ---
Created attachment 442234
--> https://bugs.webkit.org/attachment.cgi?id=442234&action=review
Patch
Fix the last bug, which only occurred on some x86_64 machines.
Turns out converting from size_t to double to size_t is not guaranteed to
roundtrip, and this caused an issue in genericTypedArrayViewProtoFuncSet.
The fix was fairly simple:
```
- offset = static_cast<size_t>(std::min(offsetNumber,
static_cast<double>(std::numeric_limits<size_t>::max())));
+ if (offsetNumber <= maxSafeInteger() && offsetNumber <=
static_cast<double>(std::numeric_limits<size_t>::max()))
+ offset = offsetNumber;
+ else
+ offset = std::numeric_limits<size_t>::max();
```
More information about the webkit-reviews
mailing list