mirror of
https://github.com/DoneJS-Runtime/quickjs-done-nextgen.git
synced 2025-01-09 17:43:15 +00:00
fix crash in js_typed_array_slice caused by memory overlap (#379)
Use memmove instead of memcpy to prevent UB. Fixes: https://github.com/quickjs-ng/quickjs/issues/378 Co-authored-by: zhang.yuping <zhangyuping.ypz@bytedance.com>
This commit is contained in:
parent
4fb2e38b8a
commit
8dcdb92047
2 changed files with 15 additions and 4 deletions
|
@ -50327,9 +50327,9 @@ static JSValue js_typed_array_slice(JSContext *ctx, JSValue this_val,
|
||||||
if (p1 != NULL && p->class_id == p1->class_id &&
|
if (p1 != NULL && p->class_id == p1->class_id &&
|
||||||
typed_array_get_length(ctx, p1) >= count &&
|
typed_array_get_length(ctx, p1) >= count &&
|
||||||
typed_array_get_length(ctx, p) >= start + count) {
|
typed_array_get_length(ctx, p) >= start + count) {
|
||||||
memcpy(p1->u.array.u.uint8_ptr,
|
memmove(p1->u.array.u.uint8_ptr,
|
||||||
p->u.array.u.uint8_ptr + (start << shift),
|
p->u.array.u.uint8_ptr + (start << shift),
|
||||||
count << shift);
|
count << shift);
|
||||||
} else {
|
} else {
|
||||||
for (n = 0; n < count; n++) {
|
for (n = 0; n < count; n++) {
|
||||||
val = JS_GetPropertyValue(ctx, this_val, js_int32(start + n));
|
val = JS_GetPropertyValue(ctx, this_val, js_int32(start + n));
|
||||||
|
|
|
@ -516,7 +516,7 @@ function test_eval()
|
||||||
|
|
||||||
function test_typed_array()
|
function test_typed_array()
|
||||||
{
|
{
|
||||||
var buffer, a, i, str;
|
var buffer, a, i, str, b;
|
||||||
|
|
||||||
a = new Uint8Array(4);
|
a = new Uint8Array(4);
|
||||||
assert(a.length, 4);
|
assert(a.length, 4);
|
||||||
|
@ -569,6 +569,17 @@ function test_typed_array()
|
||||||
assert(a.toString(), "1,2,3,4");
|
assert(a.toString(), "1,2,3,4");
|
||||||
a.set([10, 11], 2);
|
a.set([10, 11], 2);
|
||||||
assert(a.toString(), "1,2,10,11");
|
assert(a.toString(), "1,2,10,11");
|
||||||
|
|
||||||
|
a = new Uint8Array(buffer, 0, 4);
|
||||||
|
a.constructor = {
|
||||||
|
[Symbol.species]: function (len) {
|
||||||
|
return new Uint8Array(buffer, 1, len);
|
||||||
|
},
|
||||||
|
};
|
||||||
|
b = a.slice();
|
||||||
|
assert(a.buffer, b.buffer);
|
||||||
|
assert(a.toString(), "0,0,0,255");
|
||||||
|
assert(b.toString(), "0,0,255,255");
|
||||||
}
|
}
|
||||||
|
|
||||||
function test_json()
|
function test_json()
|
||||||
|
|
Loading…
Reference in a new issue