[js] Add dynamic check for valid serialized length

author: Steve Fink <sfink@mozilla.com> 2022-01-13 09:36:11 +0000
committer: Moonchild <moonchild@palemoon.org> 2022-01-14 19:55:06 +0000
commit: b298c855e193b3c39d2f4285f9b762e87e11838a (patch)
tree: 30340ff6e12ec8b9a4b8967dbce73e4e2879fca9
parent: 8945130306b77b191fffc4441eaf797c7d1802ed (diff)
download: uxp-b298c855e193b3c39d2f4285f9b762e87e11838a.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
index 6c082d6065..9cd4f1e072 100644
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -545,6 +545,11 @@ ReadStructuredClone(JSContext* cx, JSStructuredCloneData& data,
                     JS::StructuredCloneScope scope, MutableHandleValue vp,
                     const JSStructuredCloneCallbacks* cb, void* cbClosure)
 {
+    if (data.Size() % 8) {
+        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+                                  JSMSG_SC_BAD_SERIALIZED_DATA, "misaligned");
+        return false;
+    }
     SCInput in(cx, data);
     JSStructuredCloneReader r(in, scope, cb, cbClosure);
     return r.read(vp);
author	Steve Fink <sfink@mozilla.com>	2022-01-13 09:36:11 +0000
committer	Moonchild <moonchild@palemoon.org>	2022-01-14 19:55:06 +0000
commit	b298c855e193b3c39d2f4285f9b762e87e11838a (patch)
tree	30340ff6e12ec8b9a4b8967dbce73e4e2879fca9
parent	8945130306b77b191fffc4441eaf797c7d1802ed (diff)
download	uxp-b298c855e193b3c39d2f4285f9b762e87e11838a.tar.gz