RESOLVED FIXED 215897
[JSC] setLength in Array#push could get very large length
https://bugs.webkit.org/show_bug.cgi?id=215897
Summary [JSC] setLength in Array#push could get very large length
Yusuke Suzuki
Reported 2020-08-27 12:25:04 PDT
[JSC] setLength in Array#push could get very large length
Attachments
Patch (4.12 KB, patch)
2020-08-27 12:29 PDT, Yusuke Suzuki
keith_miller: review+
Yusuke Suzuki
Comment 1 2020-08-27 12:29:07 PDT
Yusuke Suzuki
Comment 2 2020-08-27 12:29:09 PDT
Keith Miller
Comment 3 2020-08-27 12:34:48 PDT
Comment on attachment 407422 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review r=me with nits. > Source/JavaScriptCore/ChangeLog:10 > + Before r266215, it was using putLength which throws an error. But it is replaced with setLength, Nit: But it *was* replaced. > Source/JavaScriptCore/ChangeLog:11 > + and JSC::setLength assumes that this never gets such a length with an assertion. We should fix it Nit: assumes that *it* never gets *a length greater than UINT32_MAX by asserting*.
Yusuke Suzuki
Comment 4 2020-08-27 12:35:41 PDT
Comment on attachment 407422 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review Thanks! >> Source/JavaScriptCore/ChangeLog:10 >> + Before r266215, it was using putLength which throws an error. But it is replaced with setLength, > > Nit: But it *was* replaced. Fixed. >> Source/JavaScriptCore/ChangeLog:11 >> + and JSC::setLength assumes that this never gets such a length with an assertion. We should fix it > > Nit: assumes that *it* never gets *a length greater than UINT32_MAX by asserting*. Fixed.
Yusuke Suzuki
Comment 5 2020-08-27 14:33:03 PDT
Darin Adler
Comment 6 2020-08-27 16:02:02 PDT
Comment on attachment 407422 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review > Source/JavaScriptCore/runtime/ArrayPrototype.cpp:168 > + if (UNLIKELY(value > UINT32_MAX)) { Could this be an maxArrayLength constant instead of UINT32_MAX?
Darin Adler
Comment 7 2020-08-27 17:51:59 PDT
Comment on attachment 407422 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review >> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:168 >> + if (UNLIKELY(value > UINT32_MAX)) { > > Could this be an maxArrayLength constant instead of UINT32_MAX? Like maybe: constexpr uint32_t maxArrayLength = MAX_ARRAY_INDEX + 1;
Note You need to log in before you can comment on or make changes to this bug.