Bug 1241731 - Handle incomplete buffer in DiscardTransferables r=sfink a=abillings

2024-11-28 23:31:56 +00:00 · 2016-01-27 10:31:15 +00:00 · 2016-01-27 10:31:15 +00:00 · 0450b78319
commit 0450b78319
parent d079897c17
2 changed files with 17 additions and 2 deletions
--- a/js/src/jit-test/tests/gc/bug-1241731.js
+++ b/js/src/jit-test/tests/gc/bug-1241731.js
@ -0,0 +1,4 @@
+if (!('oomTest' in this))
+    quit();
+
+oomTest(() => serialize(0, [{}]));
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@ -407,10 +407,11 @@ DiscardTransferables(uint64_t* buffer, size_t nbytes,
                     const JSStructuredCloneCallbacks* cb, void* cbClosure)
 {
    MOZ_ASSERT(nbytes % sizeof(uint64_t) == 0);
-    if (nbytes < sizeof(uint64_t))
+    uint64_t* end = buffer + nbytes / sizeof(uint64_t);
+    uint64_t* point = buffer;
+    if (point == end)
        return; // Empty buffer

-    uint64_t* point = buffer;
    uint32_t tag, data;
    SCInput::getPair(point++, &tag, &data);
    if (tag != SCTAG_TRANSFER_MAP_HEADER)
@ -422,14 +423,24 @@ DiscardTransferables(uint64_t* buffer, size_t nbytes,
    // freeTransfer should not GC
    JS::AutoSuppressGCAnalysis nogc;

+    if (point == end)
+        return;
+
    uint64_t numTransferables = LittleEndian::readUint64(point++);
    while (numTransferables--) {
+        if (point == end)
+            return;
+
        uint32_t ownership;
        SCInput::getPair(point++, &tag, &ownership);
        MOZ_ASSERT(tag >= SCTAG_TRANSFER_MAP_PENDING_ENTRY);
+        if (point == end)
+            return;

        void* content;
        SCInput::getPtr(point++, &content);
+        if (point == end)
+            return;

        uint64_t extraData = LittleEndian::readUint64(point++);