commit 0694c31fbb1c392567427d84e64ff504e6f43005
parent ad1cc5e2efe807714485aa2ba8261dba2082a5e6
Author: Matthew Gaudet <mgaudet@mozilla.com>
Date: Mon, 5 Jan 2026 18:02:01 +0000
Bug 2005981 - Throw exception on invalid serialized data r=sfink
Differential Revision: https://phabricator.services.mozilla.com/D276730
Diffstat:
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/js/src/jit-test/tests/structured-clone/bug2005981.js b/js/src/jit-test/tests/structured-clone/bug2005981.js
@@ -0,0 +1,30 @@
+[];
+[-777432661, -1161569985, 2147483648];
+[62034, -2, -2147483647, 3, 9, 14, -9223372036854775808];
+[8, 9, 5, 536870889, 30961, 2147483649, -166670233, 8741];
+[4, , 65535, 8, 10000, 7576, 65535, , 128, , 4, 7, 12304, 536870912, ,];
+const v26 = new ArrayBuffer(8);
+const v27 = new EvalError(v26);
+const v28 = [];
+const o30 = {
+ scope: "DifferentProcess",
+};
+const v35 = new Uint8Array(serialize(v27, v28, o30).arraybuffer);
+for (let i37 = 0; i37 + 16 <= v35.length; i37 += 8) {
+ const v46 = new Uint8Array(i37 + 257 * 16);
+ v46.set(v35.slice(0, i37), 0);
+ const v52 = v35.slice(i37, i37 + 16);
+ for (let i53 = i37; i53 < v46.length; i53 += 16) {
+ v46.set(v52, i53);
+ }
+ const o59 = {};
+ const v60 = [];
+ const o62 = {
+ scope: "DifferentProcess",
+ };
+ const v64 = serialize(o59, v60, o62);
+ v64.arraybuffer = v46.buffer;
+ try {
+ deserialize(v64);
+ } catch (e68) {}
+}
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
@@ -3679,7 +3679,9 @@ JSObject* JSStructuredCloneReader::readSavedFrameHeader(
source = mutedErrors;
mutedErrors.setBoolean(true); // Safe default value.
} else {
- // Invalid type.
+ JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr,
+ JSMSG_SC_BAD_SERIALIZED_DATA,
+ "invalid mutedErrors");
return nullptr;
}
}
