openharmony/arkcompiler_ets_runtime
1
0
Fork 0
mirror of https://gitee.com/openharmony/arkcompiler_ets_runtime synced 2024-10-07 16:13:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

CreateFromTypedArray byteLength data overflow

Browse Source 
Issue: https://gitee.com/open_harmony/dashboard?issue_id=I7KZJ7

Signed-off-by: quiet-thought <chenjingxiang1@huawei.com>
Change-Id: Id0c0a875086026cec97b742c9ff4a56b62d06006
This commit is contained in:
quiet-thought 2023-07-15 16:35:01 +08:00
parent 13303b3a52
commit 9f586b533b
3 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ecmascript/base/typed_array_helper.cpp
View File

@ -234,7 +234,9 @@ JSTaggedValue TypedArrayHelper::CreateFromTypedArray(EcmaRuntimeCallInfo *argv,
// 15. Let byteLength be elementSize × elementLength.
uint32_t srcByteOffset = srcObj->GetByteOffset();
uint32_t elementSize = TypedArrayHelper::GetSizeFromType(arrayType);
uint32_t byteLength = elementSize * elementLength;
// If elementLength is a large number, the multiplication of elementSize and elementLength may exceed
// the maximum value of uint32, resulting in data overflow. Therefore, the type of byteLength is uint64_t.
uint64_t byteLength = elementSize * static_cast<uint64_t>(elementLength);
// 16. If IsSharedArrayBuffer(srcData) is false, then
// a. Let bufferConstructor be ? SpeciesConstructor(srcData, %ArrayBuffer%).
@ -368,9 +370,9 @@ JSTaggedValue TypedArrayHelper::CreateFromArrayBuffer(EcmaRuntimeCallInfo *argv,
// 16. Set O.[[ArrayLength]] to newByteLength / elementSize.
JSTypedArray *jsTypedArray = JSTypedArray::Cast(*obj);
jsTypedArray->SetViewedArrayBufferOrByteArray(thread, buffer);
jsTypedArray->SetByteLength(static_cast<int32_t>(newByteLength));
jsTypedArray->SetByteLength(newByteLength);
jsTypedArray->SetByteOffset(offset);
jsTypedArray->SetArrayLength(static_cast<int32_t>(newByteLength / elementSize));
jsTypedArray->SetArrayLength(newByteLength / elementSize);
// 17. Return O.
return obj.GetTaggedValue();
}

1
test/moduletest/typearray/expect_output.txt
View File

@ -27,3 +27,4 @@ BigUint64Array test success !!!
test successful !!!
test successful !!!
false
test successful !!!

9
test/moduletest/typearray/typearray.js
View File

@ -198,4 +198,11 @@ const a7 = new BigInt64Array(4);
function foo() {}
const f = new foo();
const protoOf = f.isPrototypeOf;
print(protoOf.apply(protoOf, a7));
print(protoOf.apply(protoOf, a7));
try {
const a8 = new Int8Array(new ArrayBuffer(0x40004141, {"maxByteLength": 0x40004141}));
const a9 = new Float64Array(a8);
} catch (e) {
print("test successful !!!");
}