mirror of
https://github.com/DoneJS-Runtime/quickjs-done-nextgen.git
synced 2025-01-09 17:43:15 +00:00
fix crash in js_typed_array_slice caused by memory overlap (#379)
Use memmove instead of memcpy to prevent UB. Fixes: https://github.com/quickjs-ng/quickjs/issues/378 Co-authored-by: zhang.yuping <zhangyuping.ypz@bytedance.com>
This commit is contained in:
parent
4fb2e38b8a
commit
8dcdb92047
2 changed files with 15 additions and 4 deletions
|
@ -50327,7 +50327,7 @@ static JSValue js_typed_array_slice(JSContext *ctx, JSValue this_val,
|
|||
if (p1 != NULL && p->class_id == p1->class_id &&
|
||||
typed_array_get_length(ctx, p1) >= count &&
|
||||
typed_array_get_length(ctx, p) >= start + count) {
|
||||
memcpy(p1->u.array.u.uint8_ptr,
|
||||
memmove(p1->u.array.u.uint8_ptr,
|
||||
p->u.array.u.uint8_ptr + (start << shift),
|
||||
count << shift);
|
||||
} else {
|
||||
|
|
|
@ -516,7 +516,7 @@ function test_eval()
|
|||
|
||||
function test_typed_array()
|
||||
{
|
||||
var buffer, a, i, str;
|
||||
var buffer, a, i, str, b;
|
||||
|
||||
a = new Uint8Array(4);
|
||||
assert(a.length, 4);
|
||||
|
@ -569,6 +569,17 @@ function test_typed_array()
|
|||
assert(a.toString(), "1,2,3,4");
|
||||
a.set([10, 11], 2);
|
||||
assert(a.toString(), "1,2,10,11");
|
||||
|
||||
a = new Uint8Array(buffer, 0, 4);
|
||||
a.constructor = {
|
||||
[Symbol.species]: function (len) {
|
||||
return new Uint8Array(buffer, 1, len);
|
||||
},
|
||||
};
|
||||
b = a.slice();
|
||||
assert(a.buffer, b.buffer);
|
||||
assert(a.toString(), "0,0,0,255");
|
||||
assert(b.toString(), "0,0,255,255");
|
||||
}
|
||||
|
||||
function test_json()
|
||||
|
|
Loading…
Reference in a new issue