From ee0cbc89f99e8f5dfbb6557c1596cb5a89c3dea1 Mon Sep 17 00:00:00 2001 From: Igor Klemenski Date: Fri, 5 Mar 2021 17:46:41 -0800 Subject: [PATCH 1/2] Fix unsafe cast and detect resize overflow. --- ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp | 9 ++++++++- ReactCommon/react/renderer/mapbuffer/MapBuffer.h | 4 ++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp b/ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp index e95bdd7509d1b7..e992cffca08945 100644 --- a/ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp +++ b/ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp @@ -12,7 +12,7 @@ using namespace facebook::react; namespace facebook { namespace react { -MapBuffer::MapBuffer(int initialSize) { +MapBuffer::MapBuffer(uint16_t initialSize) { _dataSize = initialSize; _data = new Byte[_dataSize]; // TODO: Should we clean up memory here? @@ -20,6 +20,13 @@ MapBuffer::MapBuffer(int initialSize) { void MapBuffer::makeSpace() { int oldDataSize = _dataSize; + if (_dataSize >= std::numeric_limits::max() / 2) { + LOG(ERROR) + << "Error: trying to assign a value beyond the capacity of uint16_t" + << _dataSize * 2; + throw "Error: trying to assign a value beyond the capacity of uint16_t" + + std::to_string(_dataSize * 2); + } _dataSize *= 2; uint8_t *_newdata = new Byte[_dataSize]; uint8_t *_oldData = _data; diff --git a/ReactCommon/react/renderer/mapbuffer/MapBuffer.h b/ReactCommon/react/renderer/mapbuffer/MapBuffer.h index a56074737d6998..88aa67e97808a6 100644 --- a/ReactCommon/react/renderer/mapbuffer/MapBuffer.h +++ b/ReactCommon/react/renderer/mapbuffer/MapBuffer.h @@ -13,7 +13,7 @@ namespace facebook { namespace react { // 506 = 5 entries = 50*10 + 6 sizeof(header) -const int INITIAL_SIZE = 506; +const uint16_t INITIAL_SIZE = 506; /** * MapBuffer is an optimized map format for transferring data like props between @@ -46,7 +46,7 @@ class MapBuffer { public: MapBuffer() : MapBuffer(INITIAL_SIZE) {} - MapBuffer(int initialSize); + MapBuffer(uint16_t initialSize); ~MapBuffer(); From 76d08ce53d0389d665ba41c405f51bd76bd5696c Mon Sep 17 00:00:00 2001 From: Igor Klemenski Date: Fri, 5 Mar 2021 21:06:12 -0800 Subject: [PATCH 2/2] Fix overflow while fixing overflow. --- ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp | 4 ++-- ReactCommon/react/renderer/mapbuffer/MapBuffer.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp b/ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp index e992cffca08945..1de973515531f3 100644 --- a/ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp +++ b/ReactCommon/react/renderer/mapbuffer/MapBuffer.cpp @@ -23,9 +23,9 @@ void MapBuffer::makeSpace() { if (_dataSize >= std::numeric_limits::max() / 2) { LOG(ERROR) << "Error: trying to assign a value beyond the capacity of uint16_t" - << _dataSize * 2; + << static_cast(_dataSize) * 2; throw "Error: trying to assign a value beyond the capacity of uint16_t" + - std::to_string(_dataSize * 2); + std::to_string(static_cast(_dataSize) * 2); } _dataSize *= 2; uint8_t *_newdata = new Byte[_dataSize]; diff --git a/ReactCommon/react/renderer/mapbuffer/MapBuffer.h b/ReactCommon/react/renderer/mapbuffer/MapBuffer.h index 88aa67e97808a6..e6c8d4a2673a23 100644 --- a/ReactCommon/react/renderer/mapbuffer/MapBuffer.h +++ b/ReactCommon/react/renderer/mapbuffer/MapBuffer.h @@ -13,7 +13,7 @@ namespace facebook { namespace react { // 506 = 5 entries = 50*10 + 6 sizeof(header) -const uint16_t INITIAL_SIZE = 506; +constexpr uint16_t INITIAL_SIZE = 506; /** * MapBuffer is an optimized map format for transferring data like props between