typed arrays: fix 32 bit size/index overflow

Fix an out-of-bound read/write bug due to integer wrapping. Reported by Dean McNamee.
12 years ago · ed825f4888
2 changed files with 23 additions and 6 deletions
--- a/src/v8_typed_array.cc
+++ b/src/v8_typed_array.cc
@ -21,6 +21,7 @@

 #include <stdlib.h>  // calloc, etc
 #include <string.h>  // memmove
+#include <stdint.h>

 #include "v8_typed_array.h"
 #include "node_buffer.h"
@ -722,11 +723,14 @@ class DataView {
    // TODO(deanm): All of these things should be cacheable.
    int element_size = SizeOfArrayElementForType(
        args.This()->GetIndexedPropertiesExternalArrayDataType());
-    int size = args.This()->GetIndexedPropertiesExternalArrayDataLength() *
-               element_size;
+    assert(element_size > 0);
+    int size = args.This()->GetIndexedPropertiesExternalArrayDataLength();
+    assert(size >= 0);

-    if (index + sizeof(T) > (unsigned)size)  // TODO(deanm): integer overflow.
+    if (static_cast<uint64_t>(index) + sizeof(T) >
+        static_cast<uint64_t>(size) * element_size) {
      return ThrowError("Index out of range.");
+    }

    void* ptr = args.This()->GetIndexedPropertiesExternalArrayData();
    return cTypeToValue<T>(getValue<T>(ptr, index, !little_endian));
@ -742,11 +746,14 @@ class DataView {
    // TODO(deanm): All of these things should be cacheable.
    int element_size = SizeOfArrayElementForType(
        args.This()->GetIndexedPropertiesExternalArrayDataType());
-    int size = args.This()->GetIndexedPropertiesExternalArrayDataLength() *
-               element_size;
+    assert(element_size > 0);
+    int size = args.This()->GetIndexedPropertiesExternalArrayDataLength();
+    assert(size >= 0);

-    if (index + sizeof(T) > (unsigned)size)  // TODO(deanm): integer overflow.
+    if (static_cast<uint64_t>(index) + sizeof(T) >
+        static_cast<uint64_t>(size) * element_size) {
      return ThrowError("Index out of range.");
+    }

    void* ptr = args.This()->GetIndexedPropertiesExternalArrayData();
    setValue<T>(ptr, index, valueToCType<T>(args[1]), !little_endian);
--- a/test/simple/test-typed-arrays.js
+++ b/test/simple/test-typed-arrays.js
@ -182,3 +182,13 @@ assert.equal(uint8c[1], 255);
  var view = new DataView(array.buffer);
  for (var i = 128; i <= 255; ++i) assert.equal(view.getInt8(i - 128), i - 256);
 })();
+
+assert.throws(function() {
+  var buf = new DataView(new ArrayBuffer(8));
+  buf.getFloat64(0xffffffff, true);
+}, /Index out of range/);
+
+assert.throws(function() {
+  var buf = new DataView(new ArrayBuffer(8));
+  buf.setFloat64(0xffffffff, 0.0, true);
+}, /Index out of range/);