shithub: libmujs

Download patch

ref: 40b73014d9b41c48f689b80605ce5c9c37fa71cc
parent: dbc0931a5ca5178ad9839819ea7965f29c6a1ba6
author: Tor Andersson <[email protected]>
date: Mon Jul 23 07:30:22 EDT 2018

Fix 699549: Integer overflow in Array.prototype.sort().

Check size calculation for overflow before allocating memory buffer.

--- a/jsarray.c
+++ b/jsarray.c
@@ -296,6 +296,9 @@
 		return;
 	}
 
+	if (len >= INT_MAX / (int)sizeof(*array))
+		js_rangeerror(J, "array is too large to sort");
+
 	array = js_malloc(J, len * sizeof *array);
 	if (js_try(J)) {
 		js_free(J, array);
--- a/jsrun.c
+++ b/jsrun.c
@@ -446,7 +446,7 @@
 	while (*p) {
 		int c = *p++;
 		if (c >= '0' && c <= '9') {
-			if (n > INT_MAX / 10 - 1)
+			if (n >= INT_MAX / 10)
 				return 0;
 			n = n * 10 + (c - '0');
 		} else {
@@ -553,7 +553,7 @@
 			double rawlen = jsV_tonumber(J, value);
 			int newlen = jsV_numbertointeger(rawlen);
 			if (newlen != rawlen || newlen < 0)
-				js_rangeerror(J, "array length");
+				js_rangeerror(J, "invalid array length");
 			jsV_resizearray(J, obj, newlen);
 			return;
 		}