Skip to content
/ janet Public
forked from janet-lang/janet

Commit

Permalink
Fix janet-lang#673 - check typed array index bounds as well as buffer…
Browse files Browse the repository at this point in the history
… count.
  • Loading branch information
Calvin Rose committed Mar 31, 2021
1 parent 2802e66 commit cde4a50
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 5 deletions.
2 changes: 1 addition & 1 deletion src/core/net.c
Original file line number Diff line number Diff line change
Expand Up @@ -445,7 +445,7 @@ static Janet cfun_net_shutdown(int32_t argc, Janet *argv) {
janet_arity(argc, 1, 2);
JanetStream *stream = janet_getabstract(argv, 0, &janet_stream_type);
janet_stream_flags(stream, JANET_STREAM_SOCKET);
int shutdown_type = SHUT_RDWR;
int shutdown_type = JANET_SHUTDOWN_RW;
if (argc == 2) {
const uint8_t *kw = janet_getkeyword(argv, 1);
if (0 == janet_cstrcmp(kw, "rw")) {
Expand Down
2 changes: 1 addition & 1 deletion src/core/pp.c
Original file line number Diff line number Diff line change
Expand Up @@ -617,7 +617,7 @@ static void janet_pretty_one(struct pretty *S, Janet x, int is_dict_value) {
if (mincap >= INT32_MAX / 2) {
S->keysort_capacity = INT32_MAX;
} else {
S->keysort_capacity = mincap * 2;
S->keysort_capacity = (int32_t) (mincap * 2);
}
S->keysort_buffer = janet_srealloc(S->keysort_buffer, sizeof(int32_t) * S->keysort_capacity);
if (NULL == S->keysort_buffer) {
Expand Down
13 changes: 10 additions & 3 deletions src/core/typedarray.c
Original file line number Diff line number Diff line change
Expand Up @@ -498,16 +498,23 @@ static Janet cfun_typed_array_copy_bytes(int32_t argc, Janet *argv) {
size_t index_src = janet_getsize(argv, 1);
JanetTArrayView *dst = janet_getabstract(argv, 2, &janet_ta_view_type);
size_t index_dst = janet_getsize(argv, 3);
if (index_src > src->size || index_dst > dst->size) {
janet_panic("invalid buffer index");
}
size_t count = (argc == 5) ? janet_getsize(argv, 4) : 1;
if (count > dst->size || count > src->size) {
janet_panic("typed array copy out of bounds");
}
size_t src_atom_size = ta_type_sizes[src->type];
size_t dst_atom_size = ta_type_sizes[dst->type];
size_t step_src = src->stride * src_atom_size;
size_t step_dst = dst->stride * dst_atom_size;
size_t pos_src = (src->as.u8 - src->buffer->data) + (index_src * step_src);
size_t pos_dst = (dst->as.u8 - dst->buffer->data) + (index_dst * step_dst);
uint8_t *ps = src->buffer->data + pos_src, * pd = dst->buffer->data + pos_dst;
if ((pos_dst + (count - 1)*step_dst + src_atom_size <= dst->buffer->size) &&
(pos_src + (count - 1)*step_src + src_atom_size <= src->buffer->size)) {
uint8_t *ps = src->buffer->data + pos_src;
uint8_t *pd = dst->buffer->data + pos_dst;
if ((pos_dst + (count - 1) * step_dst + src_atom_size <= dst->buffer->size) &&
(pos_src + (count - 1) * step_src + src_atom_size <= src->buffer->size)) {
for (size_t i = 0; i < count; i++) {
memmove(pd, ps, src_atom_size);
pd += step_dst;
Expand Down

0 comments on commit cde4a50

Please sign in to comment.