src/value-serializer.cc - Issue 2399873002: ValueSerializer: Add more checks before trying to allocate memory for a dense array.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/value-serializer.cc

Issue 2399873002: ValueSerializer: Add more checks before trying to allocate memory for a dense array. (Closed)

Patch Set: be explicit to prevent signed/unsigned comparison Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: src/value-serializer.cc

diff --git a/src/value-serializer.cc b/src/value-serializer.cc

index 69b958292e39085e0db735314b70dc6e8d90a6b4..acca71b6b7f83611f9c2221133aeda9306b85fc5 100644

--- a/src/value-serializer.cc

+++ b/src/value-serializer.cc

@@ -21,6 +21,10 @@ namespace internal {

static const uint32_t kLatestVersion = 9;

static const int kPretenureThreshold = 100 * KB;

+// More than 2^30 - 1 elements shouldn't be permitted in a dense array.

+// This shouldn't be possible on the V8 heap anyhow

+static const uint32_t kMaxDenseArrayLength = 0x3FFFFFFF;

Jakob Kummerow 2016/10/07 13:10:17 Why not FixedArray::kMaxLength?

jbroman 2016/10/11 16:37:27 OK, done. I have some vague unease about that valu

template <typename T>

static size_t BytesNeededForVarint(T value) {

static_assert(std::is_integral<T>::value && std::is_unsigned<T>::value,

@@ -470,6 +474,8 @@ Maybe<bool> ValueSerializer::WriteJSArray(Handle<JSArray> array) {

array->HasFastElements() && !array->HasFastHoleyElements();

if (should_serialize_densely) {

+ DCHECK_LE(length, kMaxDenseArrayLength);

// TODO(jbroman): Distinguish between undefined and a hole (this can happen

// if serializing one of the elements deletes another). This requires wire

// format changes.

@@ -1165,8 +1171,14 @@ MaybeHandle<JSArray> ValueDeserializer::ReadDenseJSArray() {

// If we are at the end of the stack, abort. This function may recurse.

STACK_CHECK(isolate_, MaybeHandle<JSArray>());

+ // We shouldn't permit an array larger than the biggest we can request from

+ // V8. As an additional sanity check, since each entry will take at least one

+ // byte to encode, if there are fewer bytes than that we can also fail fast.

uint32_t length;

- if (!ReadVarint<uint32_t>().To(&length)) return MaybeHandle<JSArray>();

+ if (!ReadVarint<uint32_t>().To(&length) || length > kMaxDenseArrayLength ||

+ length > static_cast<size_t>(end_ - position_)) {

+ return MaybeHandle<JSArray>();

+ }

uint32_t id = next_id_++;

HandleScope scope(isolate_);

« no previous file with comments | « no previous file | test/unittests/value-serializer-unittest.cc » ('j') | no next file with comments »