Bug 1917554 - Error check transfer map header value r=spidermonkey-reviewers,jandem

Differential Revision: https://phabricator.services.mozilla.com/D222060
2024-11-27 06:43:32 +00:00 · 2024-09-19 20:46:22 +00:00 · 2024-09-19 20:46:22 +00:00 · 70e995c0b5
commit 70e995c0b5
parent a86d0ad3a2
2 changed files with 33 additions and 1 deletions
--- a/js/src/jit-test/tests/structured-clone/transferable-cleanup.js
+++ b/js/src/jit-test/tests/structured-clone/transferable-cleanup.js
@ -157,6 +157,7 @@ function testMultiWithDeserializeReadTransferErrorHelper(g, BASE, desc) {

    try {
        let clone = deserialize(s);
+        assertEq(true, false, "should throw");
    } catch (e) {
        assertEq(e.message.includes("invalid transferable"), true);
    }
@ -240,6 +241,28 @@ function testMultiWithDeserializeReadErrorCrossRealm() {
    testMultiWithDeserializeReadErrorHelper(newGlobal({ newCompartment: true }), 1100, desc);
 }

+function testCorruptedTransferMapHeader() {
+    const ab = new ArrayBuffer(100);
+    const s = serialize({ ab, seven: 7 }, [ab], { scope: "DifferentProcess" });
+    const ia = new Int32Array(s.arraybuffer);
+    ia[2] = 4; // Invalid, out of range TransferableMapHeader
+    s.arraybuffer = ia.buffer;
+    try {
+        deserialize(s);
+        assertEq(true, false, "should throw for invalid TM header");
+    } catch (e) {
+        assertEq(e.message.includes("invalid transfer map header"), true);
+    }
+    ia[2] = -1; // This should be using unsigned comparison, so this will be caught.
+    s.arraybuffer = ia.buffer;
+    try {
+        deserialize(s);
+        assertEq(true, false, "should throw for invalid TM header");
+    } catch (e) {
+        assertEq(e.message.includes("invalid transfer map header"), true);
+    }
+}
+
 testBasic();
 testErrorDuringWrite();
 testErrorDuringTransfer();
@ -251,3 +274,4 @@ testMultiWithDeserializeReadTransferError();
 testMultiWithDeserializeReadTransferErrorCrossRealm();
 testMultiWithDeserializeReadError();
 testMultiWithDeserializeReadErrorCrossRealm();
+testCorruptedTransferMapHeader();
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@ -195,7 +195,9 @@ enum StructuredDataType : uint32_t {
 enum TransferableMapHeader {
  SCTAG_TM_UNREAD = 0,
  SCTAG_TM_TRANSFERRING,
-  SCTAG_TM_TRANSFERRED
+  SCTAG_TM_TRANSFERRED,
+
+  SCTAG_TM_END
 };

 static inline uint64_t PairToUInt64(uint32_t tag, uint32_t data) {
@ -3420,6 +3422,12 @@ bool JSStructuredCloneReader::readTransferMap() {
    return in.reportTruncated();
  }

+  if (data >= SCTAG_TM_END) {
+    JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+                              JSMSG_SC_BAD_SERIALIZED_DATA,
+                              "invalid transfer map header");
+    return false;
+  }
  auto transferState = static_cast<TransferableMapHeader>(data);

  if (tag != SCTAG_TRANSFER_MAP_HEADER ||