[webkit-reviews] review granted: [Bug 231975] JSGenericTypedArrayView<Adaptor>::set crashes if the length + objectOffset is > UINT32_MAX : [Attachment 442234] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 22 18:43:20 PDT 2021
Yusuke Suzuki <ysuzuki at apple.com> has granted Robin Morisset
<rmorisset at apple.com>'s request for review:
Bug 231975: JSGenericTypedArrayView<Adaptor>::set crashes if the length +
objectOffset is > UINT32_MAX
https://bugs.webkit.org/show_bug.cgi?id=231975
Attachment 442234: Patch
https://bugs.webkit.org/attachment.cgi?id=442234&action=review
--- Comment #10 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 442234
--> https://bugs.webkit.org/attachment.cgi?id=442234
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=442234&action=review
r=me
> Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:328
> + size_t safeUnadjustedLength = std::min(length,
static_cast<size_t>(MAX_ARRAY_INDEX + 1));
Let's change this to `static_cast<size_t>(MAX_ARRAY_INDEX) + 1` to ensure
MAX_ARRAY_INDEX will exceed it's max value.
In reality, since it is UINT32_MAX - 1, +1 does not make it 0, but the above
form is anyway extra careful without any cost.
> Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:339
> + PropertyName property = PropertyName(ident);
This is not necessary since it has implicit constructor from ident. Let's just
pass ident directly to object->get.
JSValue value = object->get(globalObject, ident);
More information about the webkit-reviews
mailing list