LibJS: start() <= size() assertion failure and out of range value for u32 in TypedArrayPrototype::set
Found with Fuzzilli.
Code:
function main() {
const v2 = new Uint8Array(36690);
const v5 = v2.set(Object,9007199254740992);
}
main();
// STDERR:
// ../../Userland/Libraries/LibJS/Runtime/TypedArrayPrototype.cpp:825:37: runtime error: 9.0072e+15 is outside the range of representable values of type 'unsigned int'
// SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../Userland/Libraries/LibJS/Runtime/TypedArrayPrototype.cpp:825:37 in
// FuzzilliJs: ../.././AK/Span.h:128: Span<T> AK::Span<unsigned char>::slice(size_t) const [T = unsigned char]: Assertion `start <= size()' failed.As file: program_20210809230516_D3FA058C-A7EE-436C-8B46-081AA2883C79_deterministic_6.txt
Note that this only seems to crash on 64-bit builds.
SerenityOSΒ /Β serenity
The Serenity Operating System π
30.6k
Contributors get 100% of received funds after fees
How does funding with Polar work?
1
Pay now to fund the work behind this issue.
2
Get updates on progress being made.
3
Maintainer is rewarded once the issue is completed.
FAQ
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too