[js] Add dynamic check for valid serialized length

author: Steve Fink <sfink@mozilla.com> 2022-01-13 09:36:11 +0000
committer: Moonchild <moonchild@palemoon.org> 2022-01-13 09:37:08 +0000
commit: fcc8e4869b62cb7ce5605788aa9178330e2645fd (patch)
tree: 7f055cee90df042b629bef891376ef3c7298a0e3 /js
parent: 759944da77167b1d661fd9fe27d66ab1c9112ee6 (diff)
download: aura-central-fcc8e4869b62cb7ce5605788aa9178330e2645fd.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
index 6c082d606..9cd4f1e07 100644
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -545,6 +545,11 @@ ReadStructuredClone(JSContext* cx, JSStructuredCloneData& data,
                     JS::StructuredCloneScope scope, MutableHandleValue vp,
                     const JSStructuredCloneCallbacks* cb, void* cbClosure)
 {
+    if (data.Size() % 8) {
+        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+                                  JSMSG_SC_BAD_SERIALIZED_DATA, "misaligned");
+        return false;
+    }
     SCInput in(cx, data);
     JSStructuredCloneReader r(in, scope, cb, cbClosure);
     return r.read(vp);
author	Steve Fink <sfink@mozilla.com>	2022-01-13 09:36:11 +0000
committer	Moonchild <moonchild@palemoon.org>	2022-01-13 09:37:08 +0000
commit	fcc8e4869b62cb7ce5605788aa9178330e2645fd (patch)
tree	7f055cee90df042b629bef891376ef3c7298a0e3 /js
parent	759944da77167b1d661fd9fe27d66ab1c9112ee6 (diff)
download	aura-central-fcc8e4869b62cb7ce5605788aa9178330e2645fd.tar.gz