[TextEncoding] Check if array buffer has 32-bit compatible size

This CL replaces calls to deprecatedByteLengthAsUnsigned by calls to byteLengthAsSizeT. If the byte length is larger then a RangeError is thrown to avoid problems in passing a wrongly cast size to the underlying stack. Background: we prepare ArrayBuffers to be bigger than 4GB. Therefore we changed the size field to size_t. Now we are changing all uses of ByteLength to be able to deal with size_t, either by accepting a size_t, or by throwing an exception if the size is too big. R=jsbell@chromium.org Bug: chromium:1008840 Change-Id: Icb8a40032624405458d180ec107f354b166dc60f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1964491Reviewed-by: Joshua Bell <jsbell@chromium.org> Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org> Cr-Commit-Position: refs/heads/master@{#726319}

[TextEncoding] Check if array buffer has 32-bit compatible size
This CL replaces calls to deprecatedByteLengthAsUnsigned by calls to byteLengthAsSizeT. If the byte length is larger then a RangeError is thrown to avoid problems in passing a wrongly cast size to the underlying stack. Background: we prepare ArrayBuffers to be bigger than 4GB. Therefore we changed the size field to size_t. Now we are changing all uses of ByteLength to be able to deal with size_t, either by accepting a size_t, or by throwing an exception if the size is too big. R=jsbell@chromium.org Bug: chromium:1008840 Change-Id: Icb8a40032624405458d180ec107f354b166dc60f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1964491Reviewed-by: Joshua Bell <jsbell@chromium.org> Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org> Cr-Commit-Position: refs/heads/master@{#726319}
8a0a8f8a · Emanuel Ziegler · Commit Bot · 58c9f4ba · 8a0a8f8a · 8a0a8f8a
Commit 8a0a8f8a authored Dec 19, 2019 by Emanuel Ziegler Committed by Commit Bot Dec 19, 2019
2 changed files
--- a/third_party/blink/renderer/modules/encoding/text_decoder.cc
+++ b/third_party/blink/renderer/modules/encoding/text_decoder.cc
@@ -92,8 +92,13 @@ String TextDecoder::decode(const BufferSource& input,
  DCHECK(input.IsArrayBuffer());
  const char* start =
      static_cast<const char*>(input.GetAsArrayBuffer()->Data());
-  uint32_t length = input.GetAsArrayBuffer()->DeprecatedByteLengthAsUnsigned();
+  size_t length = input.GetAsArrayBuffer()->ByteLengthAsSizeT();
-  return decode(start, length, options, exception_state);
+  if (length > std::numeric_limits<uint32_t>::max()) {
+    exception_state.ThrowRangeError(
+        "Buffer size exceeds maximum heap object size.");
+    return String();
+  }
+  return decode(start, static_cast<uint32_t>(length), options, exception_state);
 }
 String TextDecoder::decode(const char* start,

--- a/third_party/blink/renderer/modules/encoding/text_decoder_stream.cc
+++ b/third_party/blink/renderer/modules/encoding/text_decoder_stream.cc
@@ -62,8 +62,14 @@ class TextDecoderStream::Transformer final : public TransformStreamTransformer {
    DCHECK(bufferSource.IsArrayBuffer());
    const auto* array_buffer = bufferSource.GetAsArrayBuffer();
    const char* start = static_cast<const char*>(array_buffer->Data());
-    uint32_t length = array_buffer->DeprecatedByteLengthAsUnsigned();
+    size_t length = array_buffer->ByteLengthAsSizeT();
-    DecodeAndEnqueue(start, length, WTF::FlushBehavior::kDoNotFlush, controller,
+    if (length > std::numeric_limits<uint32_t>::max()) {
+      exception_state.ThrowRangeError(
+          "Buffer size exceeds maximum heap object size.");
+      return ScriptPromise();
+    }
+    DecodeAndEnqueue(start, static_cast<uint32_t>(length),
+                     WTF::FlushBehavior::kDoNotFlush, controller,
                     exception_state);
    return ScriptPromise::CastUndefined(script_state_);