GetValue of DataView doesn't guarantee target in range
# Allen Wirfs-Brock (13 years ago)
The DavaView section is still a early and very rough draft that is due for a total rewrite. I've made a node that this specific formula needs to be fixed.
The DavaView section is still a early and very rough draft that is due for a total rewrite. I've made a node that this specific formula needs to be fixed. Allen On Jan 3, 2013, at 5:49 AM, Yusuke Suzuki wrote: > Hello all, > > According to rev13 draft section 15.13.7.4 step 4, > > 4. If totalOffset ≥ byteLength, throw a RangeError exception. > > But this doesn't guarantee target in range of buffer. > For example, > > var view = new DataView(new ArrayBuffer(1)); > view.getUint32(0); > > In above example, calling GetValue(0, false, Uint32), and then totalOffset is 0 and byteLength is 1, so a RangeError exception isn't thrown. But because Uint32 requires 4 bytes, this access is out of range. > > I think we should check (totalOffset + ElementSize) > byteLength, right? > > -- > Regards, > Yusuke Suzuki > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130103/a50c3051/attachment.html>
# Yusuke Suzuki (13 years ago)
Ah, sorry. I thought it is an issue of ArrayBuffer.
Ah, sorry. I thought it is an issue of ArrayBuffer. On Fri, Jan 4, 2013 at 2:50 AM, Allen Wirfs-Brock <allen at wirfs-brock.com>wrote: > The DavaView section is still a early and very rough draft that is due for > a total rewrite. I've made a node that this specific formula needs to be > fixed. > > Allen > > > > > On Jan 3, 2013, at 5:49 AM, Yusuke Suzuki wrote: > > Hello all, > > According to rev13 draft section 15.13.7.4 step 4, > > 4. If totalOffset ≥ byteLength, throw a RangeError exception. > > > But this doesn't guarantee target in range of buffer. > For example, > > var view = new DataView(new ArrayBuffer(1)); > view.getUint32(0); > > In above example, calling GetValue(0, false, Uint32), and then totalOffset > is 0 and byteLength is 1, so a RangeError exception isn't thrown. But > because Uint32 requires 4 bytes, this access is out of range. > > I think we should check (totalOffset + ElementSize) > byteLength, right? > > -- > Regards, > Yusuke Suzuki > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > > -- Regards, Yusuke Suzuki -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130104/aea91678/attachment.html>
Hello all,
According to rev13 draft section 15.13.7.4 step 4,
But this doesn't guarantee target in range of buffer. For example,
In above example, calling GetValue(0, false, Uint32), and then totalOffset is 0 and byteLength is 1, so a RangeError exception isn't thrown. But because Uint32 requires 4 bytes, this access is out of range.
I think we should check (totalOffset + ElementSize) > byteLength, right?
Hello all, According to rev13 draft section 15.13.7.4 step 4, 4. If totalOffset ≥ byteLength, throw a RangeError exception. But this doesn't guarantee target in range of buffer. For example, var view = new DataView(new ArrayBuffer(1)); view.getUint32(0); In above example, calling GetValue(0, false, Uint32), and then totalOffset is 0 and byteLength is 1, so a RangeError exception isn't thrown. But because Uint32 requires 4 bytes, this access is out of range. I think we should check (totalOffset + ElementSize) > byteLength, right? -- Regards, Yusuke Suzuki -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130103/8c72ca1f/attachment.html>