Bug 1416179: Prevent ArrayBufferObject from reserving memory larger than UINT32_MAX on !WASM_HUGE_MEMORY 64-bit platforms; r=lth

--HG-- extra : amend_source : 3975f2aea4dc0647f679424d45ec977a96689b8e
2024-10-23 10:15:41 +00:00 · 2017-11-07 12:51:25 +01:00 · 2017-11-07 12:51:25 +01:00 · 985e000ea8
commit 985e000ea8
parent 675a354ebc
1 changed files with 12 additions and 0 deletions
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@ -718,6 +718,18 @@ ArrayBufferObject::createForWasm(JSContext* cx, uint32_t initialSize,
        maxSize = Some(Min(clamp, maybeMaxSize.value()));
    }

+#ifndef WASM_HUGE_MEMORY
+    if (sizeof(void*) == 8 && maybeMaxSize && maybeMaxSize.value() == UINT32_MAX) {
+        // On 64-bit platforms that don't define WASM_HUGE_MEMORY
+        // clamp maxSize to smaller value that satisfies the 32-bit invariants
+        // maxSize + wasm::PageSize < UINT32_MAX and maxSize % wasm::PageSize == 0
+        uint32_t clamp = (wasm::MaxMemoryMaximumPages - 2) * wasm::PageSize;
+        MOZ_ASSERT(clamp < UINT32_MAX);
+        MOZ_ASSERT(initialSize <= clamp);
+        maxSize = Some(clamp);
+    }
+#endif
+
    RootedArrayBufferObject buffer(cx, ArrayBufferObject::createEmpty(cx));
    if (!buffer)
        return nullptr;