From 0ddce199d59f84ebce7ffb71afae189aa73804a0 Mon Sep 17 00:00:00 2001 From: Natalie Silvanovich Date: Wed, 18 Dec 2019 08:26:19 -0800 Subject: [PATCH] Adding tests for Array.prototype.copyWithin (#2443) * Adding tests for Array.prototype.copyWithin. This case caused a security bug in Moddable --- .../coerced-values-start-change-start.js | 59 +++++++++++++++++++ .../coerced-values-start-change-target.js | 46 +++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-start.js create mode 100644 test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-target.js diff --git a/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-start.js b/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-start.js new file mode 100644 index 0000000000..0f0d82c47a --- /dev/null +++ b/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-start.js @@ -0,0 +1,59 @@ +// Copyright (C) 2019 Google. All rights reserved. +// This code is governed by the BSD license found in the LICENSE file. +/*--- +esid: sec-array.prototype.copywithin +description: > + SECURITY: start argument is coerced to an integer value + and side effects change the length of the array so that + the start is out of bounds +info: | + 22.1.3.3 Array.prototype.copyWithin (target, start [ , end ] ) + + ... + 8. Let relativeStart be ToInteger(start). + ... +includes: [compareArray.js] +---*/ + + +// make a long integer Array +function longDenseArray(){ + var a = [0]; + for(var i = 0; i < 1024; i++){ + a[i] = i; + } + return a; +} + +function shorten(){ + currArray.length = 20; + return 1000; +} + +var array = []; +array.length = 20; + +var currArray = longDenseArray(); + +assert( + compareArray( + currArray.copyWithin(0, {valueOf: shorten}), array + ), + 'coercion side-effect makes start out of bounds' +); + +currArray = longDenseArray(); +Object.setPrototypeOf(currArray, longDenseArray()); + +var array2 = longDenseArray(); +array2.length = 20; +for(var i = 0; i < 24; i++){ + array2[i] = Object.getPrototypeOf(currArray)[i+1000]; +} + +assert( + compareArray( + currArray.copyWithin(0, {valueOf: shorten}), array2 + ), + 'coercion side-effect makes start out of bounds with prototype' +); diff --git a/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-target.js b/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-target.js new file mode 100644 index 0000000000..d12f03f462 --- /dev/null +++ b/test/built-ins/Array/prototype/copyWithin/coerced-values-start-change-target.js @@ -0,0 +1,46 @@ +// Copyright (C) 2019 Google. All rights reserved. +// This code is governed by the BSD license found in the LICENSE file. +/*--- +esid: sec-array.prototype.copywithin +description: > + SECURITY: start argument is coerced to an integer value + and side effects change the length of the array so that + the target is out of bounds +info: | + 22.1.3.3 Array.prototype.copyWithin (target, start [ , end ] ) + + ... + 8. Let relativeStart be ToInteger(start). + ... +includes: [compareArray.js] +---*/ + + +// make a long integer Array +function longDenseArray(){ + var a = [0]; + for(var i = 0; i < 1024; i++){ + a[i] = i; + } + return a; +} + +function shorten(){ + currArray.length = 20; + return 1; +} + +var array = longDenseArray(); +array.length = 20; +for(var i = 0; i < 19; i++){ + array[i+1000] = array[i+1]; +} + +var currArray = longDenseArray(); + +assert( + compareArray( + currArray.copyWithin(1000, {valueOf: shorten}), array + ), + 'coercion side-effect makes target out of bounds' +);