GetValue of DataView doesn't guarantee target in range

Yusuke Suzuki utatane.tea at gmail.com
Thu Jan 3 05:49:05 PST 2013


Hello all,

According to rev13 draft section 15.13.7.4 step 4,

4. If totalOffset ≥ byteLength, throw a RangeError exception.


But this doesn't guarantee target in range of buffer.
For example,

    var view = new DataView(new ArrayBuffer(1));
    view.getUint32(0);

In above example, calling GetValue(0, false, Uint32), and then totalOffset
is 0 and byteLength is 1, so a RangeError exception isn't thrown. But
because Uint32 requires 4 bytes, this access is out of range.

I think we should check (totalOffset + ElementSize) > byteLength, right?

-- 
Regards,
Yusuke Suzuki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130103/8c72ca1f/attachment.html>


More information about the es-discuss mailing list