Bug 1408584 - Disallow empty clonebuffer, r=kanru
authorSteve Fink <sfink@mozilla.com>
Mon, 16 Oct 2017 11:23:30 -0700
changeset 387348 a2f0768ff0b7e5fc9090c7b41e67ab153ca20ab9
parent 387347 b8a85f1cb39ef627561582c7e6c3a1fd392f15f4
child 387349 1ee54768edd38720939d677f5c3ca05c3e8944ff
push id96424
push usersfink@mozilla.com
push dateFri, 20 Oct 2017 17:07:11 +0000
treeherdermozilla-inbound@a2f0768ff0b7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskanru
bugs1408584
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1408584 - Disallow empty clonebuffer, r=kanru
js/src/builtin/TestingFunctions.cpp
--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -2766,17 +2766,17 @@ class CloneBufferObject : public NativeO
                 return false;
             data = reinterpret_cast<uint8_t*>(JS_EncodeString(cx, str));
             if (!data)
                 return false;
             dataOwner.reset(data);
             nbytes = JS_GetStringLength(str);
         }
 
-        if (nbytes % sizeof(uint64_t) != 0) {
+        if (nbytes == 0 || (nbytes % sizeof(uint64_t) != 0)) {
             JS_ReportErrorASCII(cx, "Invalid length for clonebuffer data");
             return false;
         }
 
         auto buf = js::MakeUnique<JSStructuredCloneData>(0, 0, nbytes);
         if (!buf->Init(nbytes, nbytes))
             return false;
         js_memcpy(buf->Start(), data, nbytes);