summaryrefslogtreecommitdiffstats
path: root/WebCore/bindings/js/JSArrayBufferViewHelper.h
diff options
context:
space:
mode:
Diffstat (limited to 'WebCore/bindings/js/JSArrayBufferViewHelper.h')
-rw-r--r--WebCore/bindings/js/JSArrayBufferViewHelper.h2
1 files changed, 2 insertions, 0 deletions
diff --git a/WebCore/bindings/js/JSArrayBufferViewHelper.h b/WebCore/bindings/js/JSArrayBufferViewHelper.h
index 27a9a98..ba712c6 100644
--- a/WebCore/bindings/js/JSArrayBufferViewHelper.h
+++ b/WebCore/bindings/js/JSArrayBufferViewHelper.h
@@ -115,6 +115,8 @@ PassRefPtr<ArrayBufferView> constructArrayBufferView(JSC::ExecState* exec)
RefPtr<ArrayBuffer> buffer = toArrayBuffer(exec->argument(0));
if (buffer) {
unsigned offset = (exec->argumentCount() > 1) ? exec->argument(1).toUInt32(exec) : 0;
+ if ((buffer->byteLength() - offset) % sizeof(T))
+ throwError(exec, createRangeError(exec, "ArrayBuffer length minus the byteOffset is not a multiple of the element size."));
unsigned int length = (buffer->byteLength() - offset) / sizeof(T);
if (exec->argumentCount() > 2)
length = exec->argument(2).toUInt32(exec);
generated by cgit v1.1 at 2025-05-18 04:53:06 +0000