Skip to content

Commit e061cf9

Browse files
joyeecheungV8 LUCI CQ
joyeecheung
authored and
V8 LUCI CQ
committed
[arraybuffers] initialize max byte length of empty array buffers
Without initializing the max byte length field, any empty array buffer captured in the snapshot can make the snapshot unreproducible. Refs: nodejs/node#53579 Change-Id: I2489ab2e57ecbb405ec431a87d0acc92822b777c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5662576 Reviewed-by: Marja Hölttä <[email protected]> Commit-Queue: Marja Hölttä <[email protected]> Cr-Commit-Position: refs/heads/main@{#94754}
1 parent 405f644 commit e061cf9

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

src/builtins/builtins-typed-array-gen.cc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,8 @@ TNode<JSArrayBuffer> TypedArrayBuiltinsAssembler::AllocateEmptyOnHeapBuffer(
6969
UndefinedConstant());
7070
StoreBoundedSizeToObject(buffer, JSArrayBuffer::kRawByteLengthOffset,
7171
UintPtrConstant(0));
72+
StoreBoundedSizeToObject(buffer, JSArrayBuffer::kRawMaxByteLengthOffset,
73+
UintPtrConstant(0));
7274
StoreSandboxedPointerToObject(buffer, JSArrayBuffer::kBackingStoreOffset,
7375
EmptyBackingStoreBufferConstant());
7476
#ifdef V8_COMPRESS_POINTERS

0 commit comments

Comments
 (0)