[beacon] Avoid using deprecated DOMArrayBufferView function

With this CL I remove a use of DOMArrayBufferView::deprecatedByteLengthAsUnsigned and replace it by using DOMArrayBufferView::byteLengthAsSizeT. To avoid potential problems with overflows I do an overflow check in NavigatorBeacon::sendBeacon and throw a RangeError if necessary. Additionally I added checks to the BeaconDOMArrayBufferView implementation where the byteLengthAsSizeT is actually used. R=yhirano@chromium.org Bug: chromium:1008840 Change-Id: Ifa94e08e47384232e9d112244ffc29e0e870b2b8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1948884Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#721417}

[beacon] Avoid using deprecated DOMArrayBufferView function
With this CL I remove a use of DOMArrayBufferView::deprecatedByteLengthAsUnsigned and replace it by using DOMArrayBufferView::byteLengthAsSizeT. To avoid potential problems with overflows I do an overflow check in NavigatorBeacon::sendBeacon and throw a RangeError if necessary. Additionally I added checks to the BeaconDOMArrayBufferView implementation where the byteLengthAsSizeT is actually used. R=yhirano@chromium.org Bug: chromium:1008840 Change-Id: Ifa94e08e47384232e9d112244ffc29e0e870b2b8 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1948884Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#721417}
b575d179 · Andreas Haas · Commit Bot · 6bf1b472 · b575d179 · b575d179
Commit b575d179 authored Dec 04, 2019 by Andreas Haas Committed by Commit Bot Dec 04, 2019
2 changed files
--- a/third_party/blink/renderer/core/loader/ping_loader.cc
+++ b/third_party/blink/renderer/core/loader/ping_loader.cc
@@ -121,7 +121,10 @@ class BeaconBlob final : public Beacon {
 class BeaconDOMArrayBufferView final : public Beacon {
 public:
-  explicit BeaconDOMArrayBufferView(DOMArrayBufferView* data) : data_(data) {}
+  explicit BeaconDOMArrayBufferView(DOMArrayBufferView* data) : data_(data) {
+    CHECK(base::CheckedNumeric<wtf_size_t>(data->byteLengthAsSizeT()).IsValid())
+        << "EncodedFormData::Create cannot deal with huge ArrayBuffers.";
+  }
  uint64_t size() const override { return data_->byteLengthAsSizeT(); }
@@ -129,7 +132,8 @@ class BeaconDOMArrayBufferView final : public Beacon {
    DCHECK(data_);
    scoped_refptr<EncodedFormData> entity_body = EncodedFormData::Create(
-        data_->BaseAddress(), data_->deprecatedByteLengthAsUnsigned());
+        data_->BaseAddress(),
+        base::checked_cast<wtf_size_t>(data_->byteLengthAsSizeT()));
    request.SetHttpBody(std::move(entity_body));
    // FIXME: a reasonable choice, but not in the spec; should it give a

--- a/third_party/blink/renderer/modules/beacon/navigator_beacon.cc
+++ b/third_party/blink/renderer/modules/beacon/navigator_beacon.cc
@@ -85,8 +85,18 @@ bool NavigatorBeacon::SendBeaconImpl(
  bool allowed;
  if (data.IsArrayBufferView()) {
-    allowed = PingLoader::SendBeacon(GetSupplementable()->GetFrame(), url,
+    auto* data_view = data.GetAsArrayBufferView().View();
-                                     data.GetAsArrayBufferView().View());
+    if (!base::CheckedNumeric<wtf_size_t>(data_view->byteLengthAsSizeT())
+             .IsValid()) {
+      // At the moment the PingLoader::SendBeacon implementation cannot deal
+      // with huge ArrayBuffers.
+      exception_state.ThrowRangeError(
+          "The data provided to sendBeacon() exceeds the maximally possible "
+          "length, which is 4294967295.");
+      return false;
+    }
+    allowed =
+        PingLoader::SendBeacon(GetSupplementable()->GetFrame(), url, data_view);
  } else if (data.IsBlob()) {
    Blob* blob = data.GetAsBlob();
    if (!cors::IsCorsSafelistedContentType(blob->type())) {