Reviewers: Lasse Reichstein,
Message:
PTAL.
Description:
Error checking for length parameter of external array constructors in shell
BUG=v8:1501
Please review this at http://codereview.chromium.org/7268002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M samples/shell.cc
M src/d8.h
M src/d8.cc
Index: samples/shell.cc
diff --git a/samples/shell.cc b/samples/shell.cc
index
950370adaa80fda9bd7896a41a0c3f32e7e69eaa..72a00f7d7841d7e0ac5eb3dac46d0963a391778e
100644
--- a/samples/shell.cc
+++ b/samples/shell.cc
@@ -497,14 +497,31 @@ void
ExternalArrayWeakCallback(v8::Persistent<v8::Value> object, void* data) {
v8::Handle<v8::Value> CreateExternalArray(const v8::Arguments& args,
v8::ExternalArrayType type,
- int element_size) {
+ size_t element_size) {
if (args.Length() != 1) {
return v8::ThrowException(
v8::String::New("Array constructor needs one parameter."));
}
- int length = args[0]->Int32Value();
- void* data = malloc(length * element_size);
- memset(data, 0, length * element_size);
+ if (args[0]->Int32Value() < 0) {
+ return v8::ThrowException(
+ v8::String::New("Array length must not be negative."));
+ }
+ size_t length = static_cast<size_t>(args[0]->Int32Value());
+ if (length >
static_cast<size_t>(v8::internal::ExternalArray::kMaxLength)) {
+ return v8::ThrowException(
+ v8::String::New("Array length exceeds maximum length."));
+ }
+ size_t malloc_size = length * element_size;
+ // Check for overflow in the multiplication.
+ if (malloc_size / length != element_size) {
+ return v8::ThrowException(
+ v8::String::New("Array size exceeds memory limit."));
+ }
+ void* data = malloc(malloc_size);
+ if (data == NULL) {
+ return v8::ThrowException(v8::String::New("Memory allocation
failed."));
+ }
+ memset(data, 0, malloc_size);
v8::Handle<v8::Object> array = v8::Object::New();
v8::Persistent<v8::Object> persistent_array =
v8::Persistent<v8::Object>::New(array);
Index: src/d8.cc
diff --git a/src/d8.cc b/src/d8.cc
index
56a43ad2411e375f529beca5a62dd6c2df5469ac..ae86243fd224b711b3a4b6246743fe31d59ad712
100644
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -223,14 +223,28 @@ Handle<Value> Shell::Load(const Arguments& args) {
Handle<Value> Shell::CreateExternalArray(const Arguments& args,
ExternalArrayType type,
- int element_size) {
+ size_t element_size) {
if (args.Length() != 1) {
return ThrowException(
String::New("Array constructor needs one parameter."));
}
- int length = args[0]->Int32Value();
- void* data = malloc(length * element_size);
- memset(data, 0, length * element_size);
+ if (args[0]->Int32Value() < 0) {
+ return ThrowException(String::New("Array length must not be
negative."));
+ }
+ size_t length = static_cast<size_t>(args[0]->Int32Value());
+ if (length > static_cast<size_t>(internal::ExternalArray::kMaxLength)) {
+ return ThrowException(String::New("Array length exceeds maximum
length."));
+ }
+ size_t malloc_size = length * element_size;
+ // Check for overflow in the multiplication.
+ if (malloc_size < length || malloc_size < element_size) {
+ return ThrowException(String::New("Array size exceeds memory limit."));
+ }
+ void* data = malloc(malloc_size);
+ if (data == NULL) {
+ return ThrowException(String::New("Memory allocation failed."));
+ }
+ memset(data, 0, malloc_size);
Handle<Object> array = Object::New();
Persistent<Object> persistent_array = Persistent<Object>::New(array);
persistent_array.MakeWeak(data, ExternalArrayWeakCallback);
Index: src/d8.h
diff --git a/src/d8.h b/src/d8.h
index
e62ce3803642a17e9fcc339acbd0bb77dc52e2e4..1071c9a0b999e912fb535b0ed3575bd1451377b2
100644
--- a/src/d8.h
+++ b/src/d8.h
@@ -219,7 +219,7 @@ class Shell: public i::AllStatic {
static Counter* GetCounter(const char* name, bool is_histogram);
static Handle<Value> CreateExternalArray(const Arguments& args,
ExternalArrayType type,
- int element_size);
+ size_t element_size);
static void ExternalArrayWeakCallback(Persistent<Value> object, void*
data);
};
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
