Avoid uint32_t overflow in js shell by checking size of file before

trying to stuff something insanely large into a Uint8Array. See also: BMO 1571911
author: wolfbeast <mcwerewolf@wolfbeast.com> 2019-10-22 20:57:58 +0200
committer: wolfbeast <mcwerewolf@wolfbeast.com> 2019-10-22 20:57:58 +0200
commit: bd24404ada17af8a8d77282d96acc45598c30dfa (patch)
tree: 8147f304ec8c18443715c96da0f5a94cc18e5116 /js
parent: 648404b373569d91529f34780ccd89e8224ce5b4 (diff)
download: uxp-bd24404ada17af8a8d77282d96acc45598c30dfa.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/js/src/shell/OSObject.cpp b/js/src/shell/OSObject.cpp
index 846ec7b156..4fb3d4e77d 100644
--- a/js/src/shell/OSObject.cpp
+++ b/js/src/shell/OSObject.cpp
@@ -184,6 +184,11 @@ FileAsTypedArray(JSContext* cx, JS::HandleString pathnameStr)
                 return nullptr;
             JS_ReportErrorUTF8(cx, "can't seek start of %s", pathname.ptr());
         } else {
+            if (len > INT32_MAX) {
+                JS_ReportErrorUTF8(cx, "file %s is too large for a Uint8Array",
+                                   pathname.ptr());
+                return nullptr;
+            }        
             obj = JS_NewUint8Array(cx, len);
             if (!obj)
                 return nullptr;
author	wolfbeast <mcwerewolf@wolfbeast.com>	2019-10-22 20:57:58 +0200
committer	wolfbeast <mcwerewolf@wolfbeast.com>	2019-10-22 20:57:58 +0200
commit	bd24404ada17af8a8d77282d96acc45598c30dfa (patch)
tree	8147f304ec8c18443715c96da0f5a94cc18e5116 /js
parent	648404b373569d91529f34780ccd89e8224ce5b4 (diff)
download	uxp-bd24404ada17af8a8d77282d96acc45598c30dfa.tar.gz