mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-22 17:55:50 +00:00
Bug 1425612 - Better error messages for invalid structured clone data. r=sfink, a=abillings.
--HG-- extra : rebase_source : 66e28aa6cc6172eb9bbb06c1b8fc934ef80e721d extra : source : 462f41ca6771fa573e6550509e78dddc8bd8d102
This commit is contained in:
parent
b62884603e
commit
63a5e2d4e7
@ -1916,6 +1916,12 @@ JSStructuredCloneReader::readTypedArray(uint32_t arrayType, uint32_t nelems, Mut
|
||||
return false;
|
||||
byteOffset = n;
|
||||
}
|
||||
if (!v.isObject() || !v.toObject().is<ArrayBufferObject>()) {
|
||||
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
|
||||
"typed array must be backed by an ArrayBuffer");
|
||||
return false;
|
||||
}
|
||||
|
||||
RootedObject buffer(context(), &v.toObject());
|
||||
RootedObject obj(context(), nullptr);
|
||||
|
||||
@ -1973,6 +1979,11 @@ JSStructuredCloneReader::readDataView(uint32_t byteLength, MutableHandleValue vp
|
||||
RootedValue v(context());
|
||||
if (!startRead(&v))
|
||||
return false;
|
||||
if (!v.isObject() || !v.toObject().is<ArrayBufferObject>()) {
|
||||
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
|
||||
"DataView must be backed by an ArrayBuffer");
|
||||
return false;
|
||||
}
|
||||
|
||||
// Read byteOffset.
|
||||
uint64_t n;
|
||||
@ -2028,8 +2039,11 @@ JSStructuredCloneReader::readSharedArrayBuffer(uint32_t nbytes, MutableHandleVal
|
||||
|
||||
// We must not transfer buffer pointers cross-process. The cloneDataPolicy
|
||||
// in the sender should guard against this; check that it does.
|
||||
|
||||
MOZ_RELEASE_ASSERT(storedScope <= JS::StructuredCloneScope::SameProcessDifferentThread);
|
||||
if (storedScope > JS::StructuredCloneScope::SameProcessDifferentThread) {
|
||||
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
|
||||
"can't transfer SharedArrayBuffer cross-process");
|
||||
return false;
|
||||
}
|
||||
|
||||
// The new object will have a new reference to the rawbuf.
|
||||
|
||||
@ -2051,7 +2065,11 @@ JSStructuredCloneReader::readSharedArrayBuffer(uint32_t nbytes, MutableHandleVal
|
||||
bool
|
||||
JSStructuredCloneReader::readSharedWasmMemory(uint32_t nbytes, MutableHandleValue vp)
|
||||
{
|
||||
MOZ_ASSERT(nbytes == 0);
|
||||
if (nbytes != 0) {
|
||||
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
|
||||
"invalid shared wasm memory tag");
|
||||
return false;
|
||||
}
|
||||
|
||||
JSContext* cx = context();
|
||||
|
||||
@ -2059,6 +2077,11 @@ JSStructuredCloneReader::readSharedWasmMemory(uint32_t nbytes, MutableHandleValu
|
||||
RootedValue payload(cx);
|
||||
if (!startRead(&payload))
|
||||
return false;
|
||||
if (!payload.isObject() || !payload.toObject().is<SharedArrayBufferObject>()) {
|
||||
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
|
||||
"shared wasm memory must be backed by a SharedArrayBuffer");
|
||||
return false;
|
||||
}
|
||||
|
||||
Rooted<ArrayBufferObjectMaybeShared*> sab(
|
||||
cx, &payload.toObject().as<SharedArrayBufferObject>());
|
||||
@ -2081,7 +2104,11 @@ bool
|
||||
JSStructuredCloneReader::readV1ArrayBuffer(uint32_t arrayType, uint32_t nelems,
|
||||
MutableHandleValue vp)
|
||||
{
|
||||
MOZ_ASSERT(arrayType <= Scalar::Uint8Clamped);
|
||||
if (arrayType > Scalar::Uint8Clamped) {
|
||||
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
|
||||
"invalid TypedArray type");
|
||||
return false;
|
||||
}
|
||||
|
||||
mozilla::CheckedInt<size_t> nbytes =
|
||||
mozilla::CheckedInt<size_t>(nelems) *
|
||||
@ -2353,6 +2380,14 @@ JSStructuredCloneReader::readHeader()
|
||||
}
|
||||
|
||||
MOZ_ALWAYS_TRUE(in.readPair(&tag, &data));
|
||||
if (data != uint32_t(JS::StructuredCloneScope::SameProcessSameThread) &&
|
||||
data != uint32_t(JS::StructuredCloneScope::SameProcessDifferentThread) &&
|
||||
data != uint32_t(JS::StructuredCloneScope::DifferentProcess))
|
||||
{
|
||||
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
|
||||
"invalid structured clone scope");
|
||||
return false;
|
||||
}
|
||||
storedScope = JS::StructuredCloneScope(data);
|
||||
if (storedScope < allowedScope) {
|
||||
JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr, JSMSG_SC_BAD_SERIALIZED_DATA,
|
||||
|
Loading…
Reference in New Issue
Block a user