commit bd6f4255ac32
Author: Jason Orendorff <jorendorff@mozilla.com>
Date:   Fri Jan 5 15:17:35 2018 -0600

    Bug 1426783 - Fix error handling in deserialization of invalid typed arrays. r=sfink, a=gchang.
    
    --HG--
    extra : source : f10263c3babef5f70e1e8fdb9e52c2de15cf22e1
    extra : intermediate-source : 3bda6eb9e8469ac4347bb9738d720ea81c358aea
    extra : histedit_source : 9d203779ff057ed4e857fe31ba5b51d38f1547e5
---
 js/src/vm/StructuredClone.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git js/src/vm/StructuredClone.cpp js/src/vm/StructuredClone.cpp
index c18cd232a192..e6623058459f 100644
--- js/src/vm/StructuredClone.cpp
+++ js/src/vm/StructuredClone.cpp
@@ -2011,8 +2011,17 @@ JSStructuredCloneReader::readV1ArrayBuffer(uint32_t arrayType, uint32_t nelems,
 {
     MOZ_ASSERT(arrayType <= Scalar::Uint8Clamped);
 
-    uint32_t nbytes = nelems << TypedArrayShift(static_cast<Scalar::Type>(arrayType));
-    JSObject* obj = ArrayBufferObject::create(context(), nbytes);
+    mozilla::CheckedInt<size_t> nbytes =
+        mozilla::CheckedInt<size_t>(nelems) *
+        TypedArrayElemSize(static_cast<Scalar::Type>(arrayType));
+    if (!nbytes.isValid() || nbytes.value() > UINT32_MAX) {
+        JS_ReportErrorNumberASCII(context(), GetErrorMessage, nullptr,
+                                  JSMSG_SC_BAD_SERIALIZED_DATA,
+                                  "invalid typed array size");
+        return false;
+    }
+
+    JSObject* obj = ArrayBufferObject::create(context(), nbytes.value());
     if (!obj)
         return false;
     vp.setObject(*obj);