Avoid uint32_t overflow in js shell by checking size.
This commit is contained in:
parent
fdec53dc93
commit
6c0079265a
|
@ -184,6 +184,11 @@ FileAsTypedArray(JSContext* cx, JS::HandleString pathnameStr)
|
|||
return nullptr;
|
||||
JS_ReportErrorUTF8(cx, "can't seek start of %s", pathname.ptr());
|
||||
} else {
|
||||
if (len > INT32_MAX) {
|
||||
JS_ReportErrorUTF8(cx, "file %s is too large for a Uint8Array",
|
||||
pathname.ptr());
|
||||
return nullptr;
|
||||
}
|
||||
obj = JS_NewUint8Array(cx, len);
|
||||
if (!obj)
|
||||
return nullptr;
|
||||
|
|
Loading…
Reference in New Issue