Closed
Bug 1205616
Opened 9 years ago
Closed 8 years ago
Creating a 4GB ArrayBuffer does not throw.
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: jujjyl, Assigned: jorendorff)
References
(Blocks 1 open bug)
Details
(Keywords: sec-audit)
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
STR: Run the attached .html file.
Observed: The page prints "0".
Expected: Creating the ArrayBuffer should fail, and the page should throw an error "RangeError: invalid array length". (Works in Chrome)
|
||
Comment 1•9 years ago
|
||
Buffers larger than 4GB are definitely allowed by ES-2015.
(Obviously there's a bug here though.)
|
Reporter | |
Comment 2•9 years ago
|
||
Oh right - I was expecting it to throw since creating an ArrayBuffer of size 2^32-1 did throw, but of course getting a 4GB ArrayBuffer would be an ok result as well. (I think we currently have a limit of 2^31-1 bytes on ArrayBuffer size)
|
|
||
Comment 3•9 years ago
|
||
Looking at the creation code, it's a bit messy and arguably incorrect but almost certainly safe. It performs a ToInt32 operation, so sizes between 2GB and 4GB are illegal but then 4GB to 6GB is legal again. It should use ToLength and then do a proper check on the length.
The create() method takes a uint32 but does not check that it is a uint32 in the proper range, notably it rounds the uint32 up to the page size so the strictly largest byte length for an ArrayBuffer is probably 4GB - pagesize.
Elsewhere we have guards on the length being < 2GB.
Group: core-security
|
|
||
Comment 4•9 years ago
|
||
Marking s-s because correctness is not obvious. No smoking gun yet.
|
|
||
Updated•9 years ago
|
|
||
Updated•9 years ago
|
Group: core-security → javascript-core-security
|
|
||
Comment 5•9 years ago
|
||
Lars: did you decide this was a security bug that needs to remain hidden, and if so what is it's severity? Or is everything OK here.
Flags: needinfo?(lhansen)
|
|
||
Comment 6•9 years ago
|
||
Daniel: I don't think I ever finished the investigation, I was sidetracked (still am).
Flags: needinfo?(lhansen)
|
||
Comment 7•9 years ago
|
||
I'm just going to mark this sec-audit for now. Please adjust or clear the rating if you determine there to be an issue here. Thanks.
Keywords: sec-audit
|
Assignee | |
Comment 9•9 years ago
|
||
Talked with Lars about this. I'm just going to fix the argument handling in the open bug (bug 1255128).
|
||
Updated•8 years ago
|
Assignee: nobody → winter2718
|
|
||
Comment 10•8 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #9)
> Talked with Lars about this. I'm just going to fix the argument handling in
> the open bug (bug 1255128).
Taking ownership for bookkeeping and to ensure that this doesn't slip through the cracks once we fix bug 1255128.
|
||
Comment 11•8 years ago
|
||
Any updates on this?
status-firefox43:
affected → ---
Flags: needinfo?(jorendorff)
|
|
Assignee | |
Updated•8 years ago
|
Assignee: winter2718 → jorendorff
Flags: needinfo?(jorendorff)
|
||
Comment 12•8 years ago
|
||
Is there a timeline we want/need to get this fixed?
Flags: needinfo?(jorendorff)
|
|
||
Comment 13•8 years ago
|
||
Didn't Tom fix this with his ToIndex work, recently?
|
||
Comment 14•8 years ago
|
||
Yeah, this looks fixed in current code by bug 1255128, and stepping through in a debugger, it properly throws.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
||
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
|
|
Assignee | |
Updated•8 years ago
|
Flags: needinfo?(jorendorff)
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•