Avoid uint32_t overflow in js shell by checking size of file before

trying to stuff something insanely large into a Uint8Array.

See also: BMO 1571911

1 files changed, 5 insertions, 0 deletions

diff --git a/js/src/shell/OSObject.cpp b/js/src/shell/OSObject.cpp
index 846ec7b15..4fb3d4e77 100644
--- a/js/src/shell/OSObject.cpp
+++ b/js/src/shell/OSObject.cpp
@@ -184,6 +184,11 @@ FileAsTypedArray(JSContext* cx, JS::HandleString pathnameStr)
                 return nullptr;
             JS_ReportErrorUTF8(cx, "can't seek start of %s", pathname.ptr());
         } else {
+            if (len > INT32_MAX) {
+                JS_ReportErrorUTF8(cx, "file %s is too large for a Uint8Array",
+                                   pathname.ptr());
+                return nullptr;
+            }        
             obj = JS_NewUint8Array(cx, len);
             if (!obj)
                 return nullptr;