summaryrefslogtreecommitdiffstats
path: root/WebCore/html/canvas/DataView.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'WebCore/html/canvas/DataView.cpp')
-rwxr-xr-xWebCore/html/canvas/DataView.cpp9
1 files changed, 8 insertions, 1 deletions
diff --git a/WebCore/html/canvas/DataView.cpp b/WebCore/html/canvas/DataView.cpp
index d030211..dbf56ff 100755
--- a/WebCore/html/canvas/DataView.cpp
+++ b/WebCore/html/canvas/DataView.cpp
@@ -29,6 +29,8 @@
#include "DataView.h"
+#include "CheckedInt.h"
+
namespace {
template<typename T>
@@ -43,7 +45,12 @@ namespace WebCore {
PassRefPtr<DataView> DataView::create(PassRefPtr<ArrayBuffer> buffer, unsigned byteOffset, unsigned byteLength)
{
- if (byteOffset + byteLength > buffer->byteLength())
+ if (byteOffset > buffer->byteLength())
+ return 0;
+ CheckedInt<uint32_t> checkedOffset(byteOffset);
+ CheckedInt<uint32_t> checkedLength(byteLength);
+ CheckedInt<uint32_t> checkedMax = checkedOffset + checkedLength;
+ if (!checkedMax.valid() || checkedMax.value() > buffer->byteLength())
return 0;
return adoptRef(new DataView(buffer, byteOffset, byteLength));
}
generated by cgit v1.1 at 2024-05-23 14:07:08 +0000