[GR-33278] Throw RangeError when byteLength passed to ArrayBuffer::NewBackingStore() is too large.

iamstolis · iamstolis · commit dd6c178d1294 · 2021-09-19T19:32:05.000Z
PullRequest: js/2151
diff --git a/graal-nodejs/deps/v8/src/graal/graal_isolate.cc b/graal-nodejs/deps/v8/src/graal/graal_isolate.cc
@@ -681,7 +681,7 @@ GraalIsolate::GraalIsolate(JavaVM* jvm, JNIEnv* env, v8::Isolate::CreateParams c
     ACCESS_METHOD(GraalAccessMethod::array_buffer_byte_length, "arrayBufferByteLength", "(Ljava/lang/Object;)J")
     ACCESS_METHOD(GraalAccessMethod::array_buffer_new, "arrayBufferNew", "(Ljava/lang/Object;I)Ljava/lang/Object;")
     ACCESS_METHOD(GraalAccessMethod::array_buffer_new_buffer, "arrayBufferNew", "(Ljava/lang/Object;Ljava/lang/Object;J)Ljava/lang/Object;")
-    ACCESS_METHOD(GraalAccessMethod::array_buffer_new_backing_store, "arrayBufferNewBackingStore", "(I)Ljava/lang/Object;")
+    ACCESS_METHOD(GraalAccessMethod::array_buffer_new_backing_store, "arrayBufferNewBackingStore", "(J)Ljava/lang/Object;")
     ACCESS_METHOD(GraalAccessMethod::array_buffer_get_contents, "arrayBufferGetContents", "(Ljava/lang/Object;)Ljava/lang/Object;")
     ACCESS_METHOD(GraalAccessMethod::array_buffer_view_buffer, "arrayBufferViewBuffer", "(Ljava/lang/Object;)Ljava/lang/Object;")
     ACCESS_METHOD(GraalAccessMethod::array_buffer_view_byte_length, "arrayBufferViewByteLength", "(Ljava/lang/Object;)I")
diff --git a/graal-nodejs/deps/v8/src/graal/v8.cc b/graal-nodejs/deps/v8/src/graal/v8.cc
@@ -3453,7 +3453,7 @@ namespace v8 {
 
     std::unique_ptr<BackingStore> ArrayBuffer::NewBackingStore(Isolate* isolate, size_t byte_length) {
         GraalIsolate* graal_isolate = reinterpret_cast<GraalIsolate*> (isolate);
-        JNI_CALL(jobject, java_buffer, graal_isolate, GraalAccessMethod::array_buffer_new_backing_store, Object, (jint) byte_length);
+        JNI_CALL(jobject, java_buffer, graal_isolate, GraalAccessMethod::array_buffer_new_backing_store, Object, (jlong) byte_length);
         JNIEnv* env = graal_isolate->GetJNIEnv();
         jobject java_store = env->NewGlobalRef(java_buffer);
         env->DeleteLocalRef(java_buffer);
diff --git a/graal-nodejs/mx.graal-nodejs/com.oracle.truffle.trufflenode/src/com/oracle/truffle/trufflenode/GraalJSAccess.java b/graal-nodejs/mx.graal-nodejs/com.oracle.truffle.trufflenode/src/com/oracle/truffle/trufflenode/GraalJSAccess.java
@@ -1244,8 +1244,11 @@ public Object arrayBufferNew(Object context, int byteLength) {
         return JSArrayBuffer.createDirectArrayBuffer(realm.getContext(), realm, byteLength);
     }
 
-    public Object arrayBufferNewBackingStore(int byteLength) {
-        return DirectByteBufferHelper.allocateDirect(byteLength);
+    public Object arrayBufferNewBackingStore(long byteLength) {
+        if (byteLength > Integer.MAX_VALUE || byteLength < 0) {
+            throw Errors.createRangeError("Cannot create a Buffer larger than 2147483647 bytes");
+        }
+        return DirectByteBufferHelper.allocateDirect((int) byteLength);
     }
 
     public long arrayBufferByteLength(Object arrayBuffer) {
diff --git a/graal-nodejs/test/graal/unit/arraybuffer.cc b/graal-nodejs/test/graal/unit/arraybuffer.cc
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * The Universal Permissive License (UPL), Version 1.0
@@ -92,4 +92,11 @@ ArrayBufferViewNewTest(BigInt64Array, 8)
 ArrayBufferViewNewTest(BigUint64Array, 8)
 ArrayBufferViewNewTest(DataView, 1)
 
+// Extracted from a test of sodium npm package
+EXPORT_TO_JS(NewBackingStoreSodium) {
+    Isolate* isolate = args.GetIsolate();
+    // Check that we do not crash
+    ArrayBuffer::NewBackingStore(isolate, 4294967173u); // -123 interpreted as unsigned
+}
+
 #undef SUITE
diff --git a/graal-nodejs/test/graal/unit/arraybuffer.js b/graal-nodejs/test/graal/unit/arraybuffer.js
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * The Universal Permissive License (UPL), Version 1.0
@@ -113,4 +113,14 @@ describe('ArrayBuffer', function () {
             });
         }
     });
+    describe('NewBackingStore', function () {
+        it('should not crash for a very large byte length', function() {
+            try {
+                // should either succeed or throw RangeError
+                module.ArrayBuffer_NewBackingStoreSodium();
+            } catch (e) {
+                assert.ok(e instanceof RangeError);
+            }
+        });
+    });
 });

Original file line number	Diff line number	Diff line change
`@@ -1244,8 +1244,11 @@ public Object arrayBufferNew(Object context, int byteLength) {`
`1244`	`1244`	`return JSArrayBuffer.createDirectArrayBuffer(realm.getContext(), realm, byteLength);`
`1245`	`1245`	`}`
`1246`	`1246`
`1247`		`- public Object arrayBufferNewBackingStore(int byteLength) {`
`1248`		`- return DirectByteBufferHelper.allocateDirect(byteLength);`
	`1247`	`+ public Object arrayBufferNewBackingStore(long byteLength) {`
	`1248`	`+ if (byteLength > Integer.MAX_VALUE \|\| byteLength < 0) {`
	`1249`	`+ throw Errors.createRangeError("Cannot create a Buffer larger than 2147483647 bytes");`
	`1250`	`+ }`
	`1251`	`+ return DirectByteBufferHelper.allocateDirect((int) byteLength);`
`1249`	`1252`	`}`
`1250`	`1253`
`1251`	`1254`	`public long arrayBufferByteLength(Object arrayBuffer) {`