mirrors/janet
1
0
Fork 0
mirror of https://github.com/janet-lang/janet synced 2024-11-24 17:27:18 +00:00
Code Issues 1 Releases Wiki Activity

Fix #673 - check typed array index bounds as well as buffer count.

Browse Source
This commit is contained in:
Calvin Rose 2021-03-30 21:14:42 -05:00
parent 2802e66259
commit cde4a505cf
3 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/core/net.c
View File

@ -445,7 +445,7 @@ static Janet cfun_net_shutdown(int32_t argc, Janet *argv) {
janet_arity(argc, 1, 2); janet_arity(argc, 1, 2);
JanetStream *stream = janet_getabstract(argv, 0, &janet_stream_type); JanetStream *stream = janet_getabstract(argv, 0, &janet_stream_type);
janet_stream_flags(stream, JANET_STREAM_SOCKET); janet_stream_flags(stream, JANET_STREAM_SOCKET);
int shutdown_type = SHUT_RDWR; int shutdown_type = JANET_SHUTDOWN_RW;
if (argc == 2) { if (argc == 2) {
const uint8_t *kw = janet_getkeyword(argv, 1); const uint8_t *kw = janet_getkeyword(argv, 1);
if (0 == janet_cstrcmp(kw, "rw")) { if (0 == janet_cstrcmp(kw, "rw")) {

2
src/core/pp.c
View File

@ -617,7 +617,7 @@ static void janet_pretty_one(struct pretty *S, Janet x, int is_dict_value) {
if (mincap >= INT32_MAX / 2) { if (mincap >= INT32_MAX / 2) {
S->keysort_capacity = INT32_MAX; S->keysort_capacity = INT32_MAX;
} else { } else {
S->keysort_capacity = mincap * 2; S->keysort_capacity = (int32_t) (mincap * 2);
} }
S->keysort_buffer = janet_srealloc(S->keysort_buffer, sizeof(int32_t) * S->keysort_capacity); S->keysort_buffer = janet_srealloc(S->keysort_buffer, sizeof(int32_t) * S->keysort_capacity);
if (NULL == S->keysort_buffer) { if (NULL == S->keysort_buffer) {

13
src/core/typedarray.c
View File

@ -498,16 +498,23 @@ static Janet cfun_typed_array_copy_bytes(int32_t argc, Janet *argv) {
size_t index_src = janet_getsize(argv, 1); size_t index_src = janet_getsize(argv, 1);
JanetTArrayView *dst = janet_getabstract(argv, 2, &janet_ta_view_type); JanetTArrayView *dst = janet_getabstract(argv, 2, &janet_ta_view_type);
size_t index_dst = janet_getsize(argv, 3); size_t index_dst = janet_getsize(argv, 3);
if (index_src > src->size || index_dst > dst->size) {
janet_panic("invalid buffer index");
}
size_t count = (argc == 5) ? janet_getsize(argv, 4) : 1; size_t count = (argc == 5) ? janet_getsize(argv, 4) : 1;
if (count > dst->size || count > src->size) {
janet_panic("typed array copy out of bounds");
}
size_t src_atom_size = ta_type_sizes[src->type]; size_t src_atom_size = ta_type_sizes[src->type];
size_t dst_atom_size = ta_type_sizes[dst->type]; size_t dst_atom_size = ta_type_sizes[dst->type];
size_t step_src = src->stride * src_atom_size; size_t step_src = src->stride * src_atom_size;
size_t step_dst = dst->stride * dst_atom_size; size_t step_dst = dst->stride * dst_atom_size;
size_t pos_src = (src->as.u8 - src->buffer->data) + (index_src * step_src); size_t pos_src = (src->as.u8 - src->buffer->data) + (index_src * step_src);
size_t pos_dst = (dst->as.u8 - dst->buffer->data) + (index_dst * step_dst); size_t pos_dst = (dst->as.u8 - dst->buffer->data) + (index_dst * step_dst);
uint8_t *ps = src->buffer->data + pos_src, * pd = dst->buffer->data + pos_dst; uint8_t *ps = src->buffer->data + pos_src;
if ((pos_dst + (count - 1)*step_dst + src_atom_size <= dst->buffer->size) && uint8_t *pd = dst->buffer->data + pos_dst;
(pos_src + (count - 1)*step_src + src_atom_size <= src->buffer->size)) { if ((pos_dst + (count - 1) * step_dst + src_atom_size <= dst->buffer->size) &&
(pos_src + (count - 1) * step_src + src_atom_size <= src->buffer->size)) {
for (size_t i = 0; i < count; i++) { for (size_t i = 0; i < count; i++) {
memmove(pd, ps, src_atom_size); memmove(pd, ps, src_atom_size);
pd += step_dst; pd += step_dst;