1/*
2 * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#pragma once
27
28#include "ArrayBuffer.h"
29#include "TypedArrayType.h"
30#include <algorithm>
31#include <limits.h>
32#include <wtf/RefCounted.h>
33#include <wtf/RefPtr.h>
34
35namespace JSC {
36
37class JSArrayBufferView;
38class JSGlobalObject;
39class ExecState;
40
41class ArrayBufferView : public RefCounted<ArrayBufferView> {
42public:
43 virtual TypedArrayType getType() const = 0;
44
45 bool isNeutered() const
46 {
47 return !m_buffer || m_buffer->isNeutered();
48 }
49
50 RefPtr<ArrayBuffer> possiblySharedBuffer() const
51 {
52 if (isNeutered())
53 return nullptr;
54 return m_buffer;
55 }
56
57 RefPtr<ArrayBuffer> unsharedBuffer() const
58 {
59 RefPtr<ArrayBuffer> result = possiblySharedBuffer();
60 RELEASE_ASSERT(!result->isShared());
61 return result;
62 }
63
64 bool isShared() const
65 {
66 if (isNeutered())
67 return false;
68 return m_buffer->isShared();
69 }
70
71 void* baseAddress() const
72 {
73 if (isNeutered())
74 return 0;
75 return m_baseAddress.getMayBeNull();
76 }
77
78 void* data() const { return baseAddress(); }
79
80 unsigned byteOffset() const
81 {
82 if (isNeutered())
83 return 0;
84 return m_byteOffset;
85 }
86
87 virtual unsigned byteLength() const = 0;
88
89 JS_EXPORT_PRIVATE void setNeuterable(bool flag);
90 bool isNeuterable() const { return m_isNeuterable; }
91
92 JS_EXPORT_PRIVATE virtual ~ArrayBufferView();
93
94 // Helper to verify byte offset is size aligned.
95 static bool verifyByteOffsetAlignment(unsigned byteOffset, size_t size)
96 {
97 return !(byteOffset & (size - 1));
98 }
99
100 // Helper to verify that a given sub-range of an ArrayBuffer is
101 // within range.
102 static bool verifySubRangeLength(const ArrayBuffer& buffer, unsigned byteOffset, unsigned numElements, size_t size)
103 {
104 unsigned byteLength = buffer.byteLength();
105 if (byteOffset > byteLength)
106 return false;
107 unsigned remainingElements = (byteLength - byteOffset) / size;
108 if (numElements > remainingElements)
109 return false;
110 return true;
111 }
112
113 virtual JSArrayBufferView* wrap(ExecState*, JSGlobalObject*) = 0;
114
115protected:
116 JS_EXPORT_PRIVATE ArrayBufferView(RefPtr<ArrayBuffer>&&, unsigned byteOffset);
117
118 inline bool setImpl(ArrayBufferView*, unsigned byteOffset);
119
120 // Caller passes in bufferByteLength to avoid a virtual function call.
121 inline bool setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength);
122 inline bool getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength);
123
124 inline bool zeroRangeImpl(unsigned byteOffset, size_t rangeByteLength);
125
126 static inline void calculateOffsetAndLength(
127 int start, int end, unsigned arraySize,
128 unsigned* offset, unsigned* length);
129
130 // Input offset is in number of elements from this array's view;
131 // output offset is in number of bytes from the underlying buffer's view.
132 template <typename T>
133 static void clampOffsetAndNumElements(
134 const ArrayBuffer& buffer,
135 unsigned arrayByteOffset,
136 unsigned *offset,
137 unsigned *numElements)
138 {
139 unsigned maxOffset = (UINT_MAX - arrayByteOffset) / sizeof(T);
140 if (*offset > maxOffset) {
141 *offset = buffer.byteLength();
142 *numElements = 0;
143 return;
144 }
145 *offset = arrayByteOffset + *offset * sizeof(T);
146 *offset = std::min(buffer.byteLength(), *offset);
147 unsigned remainingElements = (buffer.byteLength() - *offset) / sizeof(T);
148 *numElements = std::min(remainingElements, *numElements);
149 }
150
151 unsigned m_byteOffset : 31;
152 bool m_isNeuterable : 1;
153
154 // This is the address of the ArrayBuffer's storage, plus the byte offset.
155 CagedPtr<Gigacage::Primitive, void> m_baseAddress;
156
157private:
158 friend class ArrayBuffer;
159 RefPtr<ArrayBuffer> m_buffer;
160};
161
162bool ArrayBufferView::setImpl(ArrayBufferView* array, unsigned byteOffset)
163{
164 if (byteOffset > byteLength()
165 || byteOffset + array->byteLength() > byteLength()
166 || byteOffset + array->byteLength() < byteOffset) {
167 // Out of range offset or overflow
168 return false;
169 }
170
171 uint8_t* base = static_cast<uint8_t*>(baseAddress());
172 memmove(base + byteOffset, array->baseAddress(), array->byteLength());
173 return true;
174}
175
176bool ArrayBufferView::setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength)
177{
178 // Do not replace with RELEASE_ASSERT; we want to avoid the virtual byteLength() function call in release.
179 ASSERT_WITH_SECURITY_IMPLICATION(bufferByteLength == byteLength());
180 if (byteOffset > bufferByteLength
181 || byteOffset + dataByteLength > bufferByteLength
182 || byteOffset + dataByteLength < byteOffset) {
183 // Out of range offset or overflow
184 return false;
185 }
186
187 uint8_t* base = static_cast<uint8_t*>(baseAddress());
188 memmove(base + byteOffset, data, dataByteLength);
189 return true;
190}
191
192bool ArrayBufferView::getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength)
193{
194 // Do not replace with RELEASE_ASSERT; we want to avoid the virtual byteLength() function call in release.
195 ASSERT_WITH_SECURITY_IMPLICATION(bufferByteLength == byteLength());
196 if (byteOffset > bufferByteLength
197 || byteOffset + dataByteLength > bufferByteLength
198 || byteOffset + dataByteLength < byteOffset) {
199 // Out of range offset or overflow
200 return false;
201 }
202
203 const uint8_t* base = static_cast<const uint8_t*>(baseAddress());
204 memmove(destination, base + byteOffset, dataByteLength);
205 return true;
206}
207
208bool ArrayBufferView::zeroRangeImpl(unsigned byteOffset, size_t rangeByteLength)
209{
210 if (byteOffset > byteLength()
211 || byteOffset + rangeByteLength > byteLength()
212 || byteOffset + rangeByteLength < byteOffset) {
213 // Out of range offset or overflow
214 return false;
215 }
216
217 uint8_t* base = static_cast<uint8_t*>(baseAddress());
218 memset(base + byteOffset, 0, rangeByteLength);
219 return true;
220}
221
222void ArrayBufferView::calculateOffsetAndLength(
223 int start, int end, unsigned arraySize, unsigned* offset, unsigned* length)
224{
225 if (start < 0)
226 start += arraySize;
227 if (start < 0)
228 start = 0;
229 if (end < 0)
230 end += arraySize;
231 if (end < 0)
232 end = 0;
233 if (static_cast<unsigned>(end) > arraySize)
234 end = arraySize;
235 if (end < start)
236 end = start;
237 *offset = static_cast<unsigned>(start);
238 *length = static_cast<unsigned>(end - start);
239}
240
241} // namespace JSC
242
243using JSC::ArrayBufferView;
244