Bug 205943

Summary: JSArrayBufferView.h: Multiplication result converted to larger type
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ews-watchlist, keith_miller, mark.lam, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Michael Saboff 2020-01-08 11:42:47 PST 
Summary:
JSArrayBufferView.h: Multiplication result converted to larger type: Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'.

    static size_t sizeOf(uint32_t length, uint32_t elementSize)
    {
        return (length * elementSize + sizeof(EncodedJSValue) - 1)
Multiplication result may overflow 'unsigned int' before it is converted to 'unsigned long'.
            & ~(sizeof(EncodedJSValue) - 1);
    }

fix: cast length to size_t before multiplication.
Comment 1 Michael Saboff 2020-01-08 11:43:03 PST 
<rdar://problem/58383286>
Comment 2 Michael Saboff 2020-01-08 11:56:24 PST 
Created attachment 387122 [details]
Patch
Comment 3 WebKit Commit Bot 2020-01-08 12:54:16 PST 
Comment on attachment 387122 [details]
Patch

Clearing flags on attachment: 387122

Committed r254218: <https://trac.webkit.org/changeset/254218>
Comment 4 WebKit Commit Bot 2020-01-08 12:54:18 PST 
All reviewed patches have been landed.  Closing bug.