LibJS: Fix integer overflow in target_offset of TypedArray.set()

Author: https://github.com/ttrssreal Commit: https://github.com/LadybirdBrowser/ladybird/commit/f3a937ee769 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/4022 Reviewed-by: https://github.com/awesomekling Reviewed-by: https://github.com/gmta ✅
2025-04-21 12:05:15 +00:00 · 2025-03-21 07:04:26 +13:00 · 2025-03-21 07:04:26 +13:00 · f3a937ee76 · 2025-03-25 07:46:40 +00:00
commit f3a937ee76
parent dc83f3375c
2 changed files with 26 additions and 2 deletions
--- a/Libraries/LibJS/Runtime/TypedArrayPrototype.cpp
+++ b/Libraries/LibJS/Runtime/TypedArrayPrototype.cpp
@ -1433,7 +1433,11 @@ static ThrowCompletionOr<void> set_typed_array_from_typed_array(VM& vm, TypedArr

    // 16. If srcLength + targetOffset > targetLength, throw a RangeError exception.
    Checked<size_t> checked = source_length;
-    checked += static_cast<u32>(target_offset);
+
+    if (target_offset > static_cast<double>(NumericLimits<size_t>::max()))
+        return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target offset");
+    checked += static_cast<size_t>(target_offset);
+
    if (checked.has_overflow() || checked.value() > target_length)
        return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target length");

@ -1539,7 +1543,11 @@ static ThrowCompletionOr<void> set_typed_array_from_array_like(VM& vm, TypedArra

    // 7. If srcLength + targetOffset > targetLength, throw a RangeError exception.
    Checked<size_t> checked = source_length;
-    checked += static_cast<u32>(target_offset);
+
+    if (target_offset > static_cast<double>(NumericLimits<size_t>::max()))
+        return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target offset");
+    checked += static_cast<size_t>(target_offset);
+
    if (checked.has_overflow() || checked.value() > target_length)
        return vm.throw_completion<RangeError>(ErrorType::TypedArrayOverflowOrOutOfBounds, "target length");

--- a/Libraries/LibJS/Tests/builtins/TypedArray/TypedArray.prototype.set.js
+++ b/Libraries/LibJS/Tests/builtins/TypedArray/TypedArray.prototype.set.js
@ -146,3 +146,19 @@ test("detached buffer", () => {
        expect(typedArray.length).toBe(0);
    });
 });
+
+test("very large targetOffset", () => {
+    TYPED_ARRAYS.forEach(({ array: T }) => {
+        let typedArray = new T();
+
+        expect(() => {
+            // set_typed_array_from_typed_array
+            typedArray.set(typedArray, 2 ** 128);
+        }).toThrowWithMessage(RangeError, "Overflow or out of bounds in target offset");
+
+        expect(() => {
+            // set_typed_array_from_array_like
+            typedArray.set([], 2 ** 128);
+        }).toThrowWithMessage(RangeError, "Overflow or out of bounds in target offset");
+    });
+});