From dd0942bfe9e73a12916c4737375cbefa6b77d99c Mon Sep 17 00:00:00 2001 From: Daniel Balla Date: Fri, 13 Sep 2019 14:51:28 +0200 Subject: [PATCH] Fix overflow in ecma_op_dataview_create Fixes #3109 JerryScript-DCO-1.0-Signed-off-by: Daniel Balla dballa@inf.u-szeged.hu --- .../ecma/operations/ecma-dataview-object.c | 2 +- .../es2015/regression-test-issue-3109.js | 23 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 tests/jerry/es2015/regression-test-issue-3109.js diff --git a/jerry-core/ecma/operations/ecma-dataview-object.c b/jerry-core/ecma/operations/ecma-dataview-object.c index 80a8f3558c..af25807633 100644 --- a/jerry-core/ecma/operations/ecma-dataview-object.c +++ b/jerry-core/ecma/operations/ecma-dataview-object.c @@ -135,7 +135,7 @@ ecma_op_dataview_create (const ecma_value_t *arguments_list_p, /**< arguments li } /* 12.c */ - if ((ecma_length_t) offset + viewByteLength > buffer_byte_length) + if ((ecma_number_t) offset + viewByteLength > buffer_byte_length) { return ecma_raise_range_error (ECMA_ERR_MSG ("Start offset is outside the bounds of the buffer.")); } diff --git a/tests/jerry/es2015/regression-test-issue-3109.js b/tests/jerry/es2015/regression-test-issue-3109.js new file mode 100644 index 0000000000..7920fe05a4 --- /dev/null +++ b/tests/jerry/es2015/regression-test-issue-3109.js @@ -0,0 +1,23 @@ +// Copyright JS Foundation and other contributors, http://js.foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +var arrb = new ArrayBuffer(14); + +try { + var arr = new DataView(arrb, 13, Infinity); + assert(false); + arr.setUint32(9, -65536); +} catch (e) { + assert(e instanceof RangeError); +}