Bug 205943 - JSArrayBufferView.h: Multiplication result converted to larger type
Summary: JSArrayBufferView.h: Multiplication result converted to larger type
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-01-08 11:42 PST by Michael Saboff
Modified: 2020-01-08 12:54 PST (History)
7 users (show)

See Also:

Attachments
Patch (1.31 KB, patch)
2020-01-08 11:56 PST, Michael Saboff 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2020-01-08 11:42:47 PST 
Summary:
JSArrayBufferView.h: Multiplication result converted to larger type: Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'.

    static size_t sizeOf(uint32_t length, uint32_t elementSize)
    {
        return (length * elementSize + sizeof(EncodedJSValue) - 1)
Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'.
            & ~(sizeof(EncodedJSValue) - 1);
    }

fix: cast length to size_t before multiplication.
Comment 1 Michael Saboff 2020-01-08 11:43:03 PST 
<rdar://problem/58383286>
Comment 2 Michael Saboff 2020-01-08 11:56:24 PST 
Created attachment 387122 [details]
Patch
Comment 3 WebKit Commit Bot 2020-01-08 12:54:16 PST 
Comment on attachment 387122 [details]
Patch

Clearing flags on attachment: 387122

Committed r254218: <https://trac.webkit.org/changeset/254218>
Comment 4 WebKit Commit Bot 2020-01-08 12:54:18 PST 
All reviewed patches have been landed.  Closing bug.