bug1440748.js (1850B)
1 // Invalid data should not be able to cause a stack overflow in JSStructuredCloneReader. 2 3 // This test works treats the underlying data format as a black box. It starts 4 // with valid serialized data and mutates it by repeating a slice thousands of 5 // times. The engine should reject the result as invalid and not crash. 6 7 const REPEAT_SIZE_BYTES = 16; // size of repeating slice 8 const NREPEATS = 50000; // number of times to repeat it 9 const STEP_SIZE_BYTES = 8; // how far apart we should try cutting 10 11 // First, get a typed array containing good serialized data, 12 // encoded to be sent across a process boundary. 13 let originalObject = new Uint16Array(new ArrayBuffer(8)); 14 let goodSerializedData = serialize(originalObject, [], { scope: "DifferentProcess" }); 15 let goodBytes = new Uint8Array(goodSerializedData.arraybuffer); 16 assertEq(goodBytes.length % 8, 0, "this test expects serialized data to consist of 64-bit units"); 17 18 for (let i = 0; i + REPEAT_SIZE_BYTES <= goodBytes.length; i += STEP_SIZE_BYTES) { 19 // The first i words of badBytes are identical to goodBytes. 20 let badBytes = new Uint8Array(i + NREPEATS * REPEAT_SIZE_BYTES); 21 badBytes.set(goodBytes.slice(0, i), 0); 22 23 // The rest consists of a slice of goodBytes repeated over and over. 24 let slab = goodBytes.slice(i, i + REPEAT_SIZE_BYTES); 25 for (let j = i; j < badBytes.length; j += REPEAT_SIZE_BYTES) 26 badBytes.set(slab, j); 27 // print(uneval(Array.from(badBytes.slice(0, i + 2 * REPEAT_SIZE_BYTES)))); 28 29 // Construct a bad serialized-data object from the array. 30 let badSerializedData = serialize({}, [], { scope: "DifferentProcess" }); 31 badSerializedData.arraybuffer = badBytes.buffer; 32 33 // Now try deserializing it. 34 try { 35 deserialize(badSerializedData); 36 assertEq(false, true, "no error"); 37 } catch (exc) { 38 } 39 }