GetValue of DataView doesn't guarantee target in range

Yusuke Suzuki utatane.tea at gmail.com
Thu Jan 3 10:01:09 PST 2013


Ah, sorry. I thought it is an issue of ArrayBuffer.


On Fri, Jan 4, 2013 at 2:50 AM, Allen Wirfs-Brock <allen at wirfs-brock.com>wrote:

> The DavaView section is still a early and very rough draft that is due for
> a total rewrite.  I've made a node that this specific formula needs to be
> fixed.
>
> Allen
>
>
>
>
> On Jan 3, 2013, at 5:49 AM, Yusuke Suzuki wrote:
>
> Hello all,
>
> According to rev13 draft section 15.13.7.4 step 4,
>
> 4. If totalOffset ≥ byteLength, throw a RangeError exception.
>
>
> But this doesn't guarantee target in range of buffer.
> For example,
>
>     var view = new DataView(new ArrayBuffer(1));
>     view.getUint32(0);
>
> In above example, calling GetValue(0, false, Uint32), and then totalOffset
> is 0 and byteLength is 1, so a RangeError exception isn't thrown. But
> because Uint32 requires 4 bytes, this access is out of range.
>
> I think we should check (totalOffset + ElementSize) > byteLength, right?
>
> --
> Regards,
> Yusuke Suzuki
>  _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
>
>


-- 
Regards,
Yusuke Suzuki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130104/aea91678/attachment.html>


More information about the es-discuss mailing list