Commit a188079a authored by kbr@google.com's avatar kbr@google.com
Browse files

[V8] ArrayBuffer code should not pass a negative length to...

[V8] ArrayBuffer code should not pass a negative length to SetIndexedPropertiesToExternalArrayData()
https://bugs.webkit.org/show_bug.cgi?id=96703

Reviewed by Adam Barth.

Check length arguments that may be passed to SetIndexedPropertiesToExternalArrayData.

No tests because it is not guaranteed that buffers this large can actually be allocated.

* bindings/v8/custom/V8ArrayBufferViewCustom.h:
(WebCore::wrapArrayBufferView):
(WebCore::constructWebGLArrayWithArrayBufferArgument):
(WebCore::constructWebGLArray):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129424 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent e5a88a78
2012-09-21 Kenneth Russell <kbr@google.com>
[V8] ArrayBuffer code should not pass a negative length to SetIndexedPropertiesToExternalArrayData()
https://bugs.webkit.org/show_bug.cgi?id=96703
Reviewed by Adam Barth.
Check length arguments that may be passed to SetIndexedPropertiesToExternalArrayData.
No tests because it is not guaranteed that buffers this large can actually be allocated.
* bindings/v8/custom/V8ArrayBufferViewCustom.h:
(WebCore::wrapArrayBufferView):
(WebCore::constructWebGLArrayWithArrayBufferArgument):
(WebCore::constructWebGLArray):
2012-09-24 Antti Koivisto <antti@apple.com>
 
Split stylesheet related code out from Document
......@@ -52,6 +52,7 @@ v8::Handle<v8::Value> wrapArrayBufferView(const v8::Arguments& args, WrapperType
{
// Transform the holder into a wrapper object for the array.
V8DOMWrapper::setDOMWrapper(args.Holder(), type, array.get());
ASSERT(!hasIndexer || static_cast<int32_t>(array.get()->length()) >= 0);
if (hasIndexer)
args.Holder()->SetIndexedPropertiesToExternalArrayData(array.get()->baseAddress(), arrayType, array.get()->length());
v8::Handle<v8::Object> wrapper = args.Holder();
......@@ -85,6 +86,10 @@ v8::Handle<v8::Value> constructWebGLArrayWithArrayBufferArgument(const v8::Argum
return throwError(RangeError, "ArrayBuffer length minus the byteOffset is not a multiple of the element size.", args.GetIsolate());
length = (buf->byteLength() - offset) / sizeof(ElementType);
}
if (static_cast<int32_t>(length) < 0)
return throwError(RangeError, tooLargeSize, args.GetIsolate());
RefPtr<ArrayClass> array = ArrayClass::create(buf, offset, length);
if (!array)
return throwError(RangeError, tooLargeSize, args.GetIsolate());
......@@ -143,6 +148,10 @@ v8::Handle<v8::Value> constructWebGLArray(const v8::Arguments& args, WrapperType
if (JavaScriptWrapperArrayType::HasInstance(args[0])) {
ArrayClass* source = JavaScriptWrapperArrayType::toNative(args[0]->ToObject());
uint32_t length = source->length();
if (static_cast<int32_t>(length) < 0)
return throwError(RangeError, tooLargeSize, args.GetIsolate());
RefPtr<ArrayClass> array = ArrayClass::createUninitialized(length);
if (!array.get())
return throwError(RangeError, tooLargeSize, args.GetIsolate());
......@@ -174,6 +183,9 @@ v8::Handle<v8::Value> constructWebGLArray(const v8::Arguments& args, WrapperType
}
}
if (static_cast<int32_t>(len) < 0)
return throwError(RangeError, tooLargeSize, args.GetIsolate());
RefPtr<ArrayClass> array;
if (doInstantiation) {
if (srcArray.IsEmpty())
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment