ValueSerializer: Add more checks before trying to allocate memory for a dense array.

src/value-serializer.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/value-serializer.h"
 
 #include <type_traits>
 
 #include "src/base/logging.h"
 #include "src/conversions.h"
 #include "src/factory.h"
 #include "src/handles-inl.h"
 #include "src/isolate.h"
 #include "src/objects-inl.h"
 #include "src/objects.h"
 #include "src/transitions.h"
 
 namespace v8 {
 namespace internal {
 
 static const uint32_t kLatestVersion = 9;
 static const int kPretenureThreshold = 100 * KB;
 
+// More than 2^30 - 1 elements shouldn't be permitted in a dense array.
+// This shouldn't be possible on the V8 heap anyhow
+static const uint32_t kMaxDenseArrayLength = 0x3FFFFFFF;

[Jakob Kummerow, 2016/10/07 13:10:17]

Why not FixedArray::kMaxLength?

[jbroman, 2016/10/11 16:37:27]

OK, done. I have some vague unease about that value changing, but it doesn't
seem to have done so.

+
 template <typename T>
 static size_t BytesNeededForVarint(T value) {
   static_assert(std::is_integral<T>::value && std::is_unsigned<T>::value,
                 "Only unsigned integer types can be written as varints.");
   size_t result = 0;
   do {
     result++;
     value >>= 7;
   } while (value);
   return result;
@@ skipping 429 matching lines @@
 
   // To keep things simple, for now we decide between dense and sparse
   // serialization based on elements kind. A more principled heuristic could
   // count the elements, but would need to take care to note which indices
   // existed (as only indices which were enumerable own properties at this point
   // should be serialized).
   const bool should_serialize_densely =
       array->HasFastElements() && !array->HasFastHoleyElements();
 
   if (should_serialize_densely) {
+    DCHECK_LE(length, kMaxDenseArrayLength);
+
     // TODO(jbroman): Distinguish between undefined and a hole (this can happen
     // if serializing one of the elements deletes another). This requires wire
     // format changes.
     WriteTag(SerializationTag::kBeginDenseJSArray);
     WriteVarint<uint32_t>(length);
     uint32_t i = 0;
 
     // Fast paths. Note that FAST_ELEMENTS in particular can bail due to the
     // structure of the elements changing.
     switch (array->GetElementsKind()) {
@@ skipping 675 matching lines @@
   }
 
   DCHECK(HasObjectWithID(id));
   return scope.CloseAndEscape(array);
 }
 
 MaybeHandle<JSArray> ValueDeserializer::ReadDenseJSArray() {
   // If we are at the end of the stack, abort. This function may recurse.
   STACK_CHECK(isolate_, MaybeHandle<JSArray>());
 
+  // We shouldn't permit an array larger than the biggest we can request from
+  // V8. As an additional sanity check, since each entry will take at least one
+  // byte to encode, if there are fewer bytes than that we can also fail fast.
   uint32_t length;
-  if (!ReadVarint<uint32_t>().To(&length)) return MaybeHandle<JSArray>();
+  if (!ReadVarint<uint32_t>().To(&length) || length > kMaxDenseArrayLength ||
+      length > static_cast<size_t>(end_ - position_)) {
+    return MaybeHandle<JSArray>();
+  }
 
   uint32_t id = next_id_++;
   HandleScope scope(isolate_);
   Handle<JSArray> array = isolate_->factory()->NewJSArray(
       FAST_HOLEY_ELEMENTS, length, length, INITIALIZE_ARRAY_ELEMENTS_WITH_HOLE,
       pretenure_);
   AddObjectWithID(id, array);
 
   Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate_);
   for (uint32_t i = 0; i < length; i++) {
@@ skipping 544 matching lines @@
   if (stack.size() != 1) {
     isolate_->Throw(*isolate_->factory()->NewError(
         MessageTemplate::kDataCloneDeserializationError));
     return MaybeHandle<Object>();
   }
   return scope.CloseAndEscape(stack[0]);
 }
 
 }  // namespace internal
 }  // namespace v8