Browse Source

Avoid uint32_t overflow in js shell by checking size of file before

trying to stuff something insanely large into a Uint8Array.

See also: BMO 1571911
pull/24/head
wolfbeast 3 years ago committed by Roy Tam
parent
commit
4a024d6b52
  1. 5
      js/src/shell/OSObject.cpp

5
js/src/shell/OSObject.cpp

@ -184,6 +184,11 @@ FileAsTypedArray(JSContext* cx, JS::HandleString pathnameStr)
return nullptr;
JS_ReportErrorUTF8(cx, "can't seek start of %s", pathname.ptr());
} else {
if (len > INT32_MAX) {
JS_ReportErrorUTF8(cx, "file %s is too large for a Uint8Array",
pathname.ptr());
return nullptr;
}
obj = JS_NewUint8Array(cx, len);
if (!obj)
return nullptr;

Loading…
Cancel
Save