diff options
author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-10-22 20:57:58 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-10-22 20:57:58 +0200 |
commit | dee457e63aa52ac83c0545ae87dc273cbdd072f1 (patch) | |
tree | 8147f304ec8c18443715c96da0f5a94cc18e5116 /js/src/shell/OSObject.cpp | |
parent | a0ab17b2103aecfaafdbe0c18a98e358c990ad8d (diff) | |
download | UXP-dee457e63aa52ac83c0545ae87dc273cbdd072f1.tar UXP-dee457e63aa52ac83c0545ae87dc273cbdd072f1.tar.gz UXP-dee457e63aa52ac83c0545ae87dc273cbdd072f1.tar.lz UXP-dee457e63aa52ac83c0545ae87dc273cbdd072f1.tar.xz UXP-dee457e63aa52ac83c0545ae87dc273cbdd072f1.zip |
Avoid uint32_t overflow in js shell by checking size of file before
trying to stuff something insanely large into a Uint8Array.
See also: BMO 1571911
Diffstat (limited to 'js/src/shell/OSObject.cpp')
-rw-r--r-- | js/src/shell/OSObject.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/js/src/shell/OSObject.cpp b/js/src/shell/OSObject.cpp index 846ec7b15..4fb3d4e77 100644 --- a/js/src/shell/OSObject.cpp +++ b/js/src/shell/OSObject.cpp @@ -184,6 +184,11 @@ FileAsTypedArray(JSContext* cx, JS::HandleString pathnameStr) return nullptr; JS_ReportErrorUTF8(cx, "can't seek start of %s", pathname.ptr()); } else { + if (len > INT32_MAX) { + JS_ReportErrorUTF8(cx, "file %s is too large for a Uint8Array", + pathname.ptr()); + return nullptr; + } obj = JS_NewUint8Array(cx, len); if (!obj) return nullptr; |