From 9f586b533be0275f3e3327e05c64f3aed28b7de3 Mon Sep 17 00:00:00 2001
From: quiet-thought <chenjingxiang1@huawei.com>
Date: Sat, 15 Jul 2023 16:35:01 +0800
Subject: [PATCH] CreateFromTypedArray byteLength data overflow

Issue: https://gitee.com/open_harmony/dashboard?issue_id=I7KZJ7

Signed-off-by: quiet-thought <chenjingxiang1@huawei.com>
Change-Id: Id0c0a875086026cec97b742c9ff4a56b62d06006
---
 ecmascript/base/typed_array_helper.cpp      | 8 +++++---
 test/moduletest/typearray/expect_output.txt | 1 +
 test/moduletest/typearray/typearray.js      | 9 ++++++++-
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/ecmascript/base/typed_array_helper.cpp b/ecmascript/base/typed_array_helper.cpp
index caa5467917..319347a5ea 100644
--- a/ecmascript/base/typed_array_helper.cpp
+++ b/ecmascript/base/typed_array_helper.cpp
@@ -234,7 +234,9 @@ JSTaggedValue TypedArrayHelper::CreateFromTypedArray(EcmaRuntimeCallInfo *argv,
     // 15. Let byteLength be elementSize × elementLength.
     uint32_t srcByteOffset = srcObj->GetByteOffset();
     uint32_t elementSize = TypedArrayHelper::GetSizeFromType(arrayType);
-    uint32_t byteLength = elementSize * elementLength;
+    // If elementLength is a large number, the multiplication of elementSize and elementLength may exceed
+    //     the maximum value of uint32, resulting in data overflow. Therefore, the type of byteLength is uint64_t.
+    uint64_t byteLength = elementSize * static_cast<uint64_t>(elementLength);
     // 16. If IsSharedArrayBuffer(srcData) is false, then
     //   a. Let bufferConstructor be ? SpeciesConstructor(srcData, %ArrayBuffer%).
 
@@ -368,9 +370,9 @@ JSTaggedValue TypedArrayHelper::CreateFromArrayBuffer(EcmaRuntimeCallInfo *argv,
     // 16. Set O.[[ArrayLength]] to newByteLength / elementSize.
     JSTypedArray *jsTypedArray = JSTypedArray::Cast(*obj);
     jsTypedArray->SetViewedArrayBufferOrByteArray(thread, buffer);
-    jsTypedArray->SetByteLength(static_cast<int32_t>(newByteLength));
+    jsTypedArray->SetByteLength(newByteLength);
     jsTypedArray->SetByteOffset(offset);
-    jsTypedArray->SetArrayLength(static_cast<int32_t>(newByteLength / elementSize));
+    jsTypedArray->SetArrayLength(newByteLength / elementSize);
     // 17. Return O.
     return obj.GetTaggedValue();
 }
diff --git a/test/moduletest/typearray/expect_output.txt b/test/moduletest/typearray/expect_output.txt
index 8f52daa2db..4acaf51a3a 100644
--- a/test/moduletest/typearray/expect_output.txt
+++ b/test/moduletest/typearray/expect_output.txt
@@ -27,3 +27,4 @@ BigUint64Array test success !!!
 test successful !!!
 test successful !!!
 false
+test successful !!!
diff --git a/test/moduletest/typearray/typearray.js b/test/moduletest/typearray/typearray.js
index b7aed513bc..7bc4625653 100644
--- a/test/moduletest/typearray/typearray.js
+++ b/test/moduletest/typearray/typearray.js
@@ -198,4 +198,11 @@ const a7 = new BigInt64Array(4);
 function foo() {}
 const f = new foo();
 const protoOf = f.isPrototypeOf;
-print(protoOf.apply(protoOf, a7));
\ No newline at end of file
+print(protoOf.apply(protoOf, a7));
+
+try {
+    const a8 = new Int8Array(new ArrayBuffer(0x40004141, {"maxByteLength": 0x40004141}));
+    const a9 = new Float64Array(a8);
+} catch (e) {
+    print("test successful !!!");
+}
\ No newline at end of file