From 22de3740fc90456b0381e4373eda42c979bba482 Mon Sep 17 00:00:00 2001 From: Shu-yu Guo Date: Thu, 11 Jan 2024 13:58:26 -0800 Subject: [PATCH] Normative: Recompute count in TA.p.slice (#3255) Closes #3248. The current algorithm has a bug that can result in OOB reads in the source TA, because _count_ is not correctly recomputed when the source TA is resized during evaluation of the species constructor. (It is currently bounded by _len_, which is recomputed, but this is incorrect because the bounds of the copy loop is not on the length, but instead on how many bytes need to be copied.) --- spec.html | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/spec.html b/spec.html index 1a9b59d689..a068559e70 100644 --- a/spec.html +++ b/spec.html @@ -41112,6 +41112,7 @@

%TypedArray%.prototype.slice ( _start_, _end_ )

1. If IsTypedArrayOutOfBounds(_taRecord_) is *true*, throw a *TypeError* exception. 1. Set _len_ to TypedArrayLength(_taRecord_). 1. Set _final_ to min(_final_, _len_). + 1. Set _count_ to max(_final_ - _k_, 0). 1. Let _srcType_ be TypedArrayElementType(_O_). 1. Let _targetType_ be TypedArrayElementType(_A_). 1. If _srcType_ is _targetType_, then @@ -41122,7 +41123,7 @@

%TypedArray%.prototype.slice ( _start_, _end_ )

1. Let _srcByteOffset_ be _O_.[[ByteOffset]]. 1. Let _srcByteIndex_ be (_k_ × _elementSize_) + _srcByteOffset_. 1. Let _targetByteIndex_ be _A_.[[ByteOffset]]. - 1. Let _limit_ be _targetByteIndex_ + min(_count_, _len_) × _elementSize_. + 1. Let _limit_ be _targetByteIndex_ + (_count_ × _elementSize_). 1. Repeat, while _targetByteIndex_ < _limit_, 1. Let _value_ be GetValueFromBuffer(_srcBuffer_, _srcByteIndex_, ~uint8~, *true*, ~unordered~). 1. Perform SetValueInBuffer(_targetBuffer_, _targetByteIndex_, ~uint8~, _value_, *true*, ~unordered~).