From dee457e63aa52ac83c0545ae87dc273cbdd072f1 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 22 Oct 2019 20:57:58 +0200 Subject: Avoid uint32_t overflow in js shell by checking size of file before trying to stuff something insanely large into a Uint8Array. See also: BMO 1571911 --- js/src/shell/OSObject.cpp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'js/src') diff --git a/js/src/shell/OSObject.cpp b/js/src/shell/OSObject.cpp index 846ec7b15..4fb3d4e77 100644 --- a/js/src/shell/OSObject.cpp +++ b/js/src/shell/OSObject.cpp @@ -184,6 +184,11 @@ FileAsTypedArray(JSContext* cx, JS::HandleString pathnameStr) return nullptr; JS_ReportErrorUTF8(cx, "can't seek start of %s", pathname.ptr()); } else { + if (len > INT32_MAX) { + JS_ReportErrorUTF8(cx, "file %s is too large for a Uint8Array", + pathname.ptr()); + return nullptr; + } obj = JS_NewUint8Array(cx, len); if (!obj) return nullptr; -- cgit v1.2.3