Closed Bug 1566883 Opened 5 years ago Closed 5 years ago

ArrayBuffer with contents not aligned to 2 byte boundary reads out of bounds

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
68 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1505902

People

(Reporter: ptomato, Unassigned)

Details

Attachments

(1 file)

Test program showing the bug
(deleted), text/plain
Details
Attached file Test program showing the bug (deleted) —

See attached test program. It seems that creating an ArrayBuffer with contents ends up reading out of bounds if the contents are not aligned to 2 bytes.

The expected output would be

NewArrayBufferWithUserOwnedContents: 4,5,6
NewExternalArrayBuffer: 4,5,6
NewArrayBufferWithContents: 4,5,6

Instead the output is

NewArrayBufferWithUserOwnedContents: 1,4,5
NewExternalArrayBuffer: 1,4,5
NewArrayBufferWithContents: 1,4,5

Building with a debug-enabled SpiderMonkey explains why:

Assertion failure: (uintptr_t(ptr) & 1) == 0, at /path/include/js/Value.h:830

It seems the location of the contents is stuffed in a PrivateValue which loses the lowest bit. It's probably impractical to make ArrayBuffer support this, so maybe the answer here is a patch which documents the alignment requirement for each of these three APIs, and adds a clearer debug-mode assertion (with a message explaining how to correct it)

See also bug 1505902. Maybe this is a duplicate?

I guess so!

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: