Bug 1408584 - Disallow empty clonebuffer, r=kanru
authorSteve Fink <sfink@mozilla.com>
Mon, 16 Oct 2017 11:23:30 -0700
changeset 684090 a2f0768ff0b7e5fc9090c7b41e67ab153ca20ab9
parent 684089 b8a85f1cb39ef627561582c7e6c3a1fd392f15f4
child 684091 1ee54768edd38720939d677f5c3ca05c3e8944ff
push id85550
push userbmo:emilio@crisal.io
push dateFri, 20 Oct 2017 19:49:56 +0000
reviewerskanru
bugs1408584
milestone58.0a1
Bug 1408584 - Disallow empty clonebuffer, r=kanru
js/src/builtin/TestingFunctions.cpp
--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -2766,17 +2766,17 @@ class CloneBufferObject : public NativeO
                 return false;
             data = reinterpret_cast<uint8_t*>(JS_EncodeString(cx, str));
             if (!data)
                 return false;
             dataOwner.reset(data);
             nbytes = JS_GetStringLength(str);
         }
 
-        if (nbytes % sizeof(uint64_t) != 0) {
+        if (nbytes == 0 || (nbytes % sizeof(uint64_t) != 0)) {
             JS_ReportErrorASCII(cx, "Invalid length for clonebuffer data");
             return false;
         }
 
         auto buf = js::MakeUnique<JSStructuredCloneData>(0, 0, nbytes);
         if (!buf->Init(nbytes, nbytes))
             return false;
         js_memcpy(buf->Start(), data, nbytes);