Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TypedArray constructor reads bufferByteLength too early #842

Closed
psmarshall opened this issue Mar 9, 2017 · 2 comments
Closed

TypedArray constructor reads bufferByteLength too early #842

psmarshall opened this issue Mar 9, 2017 · 2 comments

Comments

@psmarshall
Copy link

In 22.2.4.5 TypedArray ( buffer [ , byteOffset [ , length ] ] ):

In step 9, we store the value of the byte length of the buffer.
9. Let bufferByteLength be buffer.[[ArrayBufferByteLength]].

In step 11.a, we can end up in user-code via ToIndex.
11.a. Let newLength be ? ToIndex(length).

In step 11.c, we use the value of bufferByteLength from step 9 -- which could be totally incorrect now, as 11.a could have neutered the buffer.
11.c. If offset + newByteLength > bufferByteLength, throw a RangeError exception.

If an implementation followed this, it could result in (quite bad) security issues.
@littledan
Copy link
Member

I see how this behavior is not what you'd expect--we should probably be doing all conversions before the detached check so that this check can catch as many cases as possible. But I don't see the security issue. A later indexed property access would simply find the underlying ArrayBuffer detached and throw (modulo #678), wouldn't it?

littledan added a commit to littledan/ecma262 that referenced this issue Mar 18, 2017
@littledan
Normative: Swap side effect and check in TypedArray constructor
a8aaecc 
Previously, in one of the TypedArray constructor paths, an ArrayBuffer
was checked for being detached, and then a ToIndex calculation is done.
Because ToIndex may detach the ArrayBuffer itself, this patch moves
the detached check to afterwards, so that it can include that possible
time when the ArrayBuffer may be detached.

Closes tc39#842
@littledan littledan mentioned this issue Mar 18, 2017
Merged
@psmarshall
Copy link
Author

Yes that's true, as long as the property accesses check for detached ArrayBuffer, this won't cause a security problem

bterlson pushed a commit that referenced this issue Mar 31, 2017
@littledan @bterlson
Normative: Swap side effect and check in TypedArray constructor (#852)
eec4f33 
Previously, in one of the TypedArray constructor paths, an ArrayBuffer
was checked for being detached, and then a ToIndex calculation is done.
Because ToIndex may detach the ArrayBuffer itself, this patch moves
the detached check to afterwards, so that it can include that possible
time when the ArrayBuffer may be detached.

Closes #842
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@littledan @psmarshall