Add array_buffer JS test.

JS Array Buffers are the first candidate to be allocated from
PartitionAlloc when it becomes available, so add test first.

Presently, we will return as large an array buffer as the system
can handle; this is generally a bad idea so limit them to 256MB
and test that we handle failure.

Change-Id: I205745a7938d69eb32ac883b90824f2f9e584ec7
Reviewed-on: https://pdfium-review.googlesource.com/3065
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

4 files changed, 76 insertions, 2 deletions

diff --git a/fxjs/fxjs_v8.cpp b/fxjs/fxjs_v8.cpp
index b0e1a1b260..5f9426b643 100644
--- a/fxjs/fxjs_v8.cpp
+++ b/fxjs/fxjs_v8.cpp
@@ -144,11 +144,11 @@ static v8::Local<v8::ObjectTemplate> GetGlobalObjectTemplate(
 }
 
 void* FXJS_ArrayBufferAllocator::Allocate(size_t length) {
-  return calloc(1, length);
+  return length <= kMaxAllowedBytes ? calloc(1, length) : nullptr;
 }
 
 void* FXJS_ArrayBufferAllocator::AllocateUninitialized(size_t length) {
-  return malloc(length);
+  return length < kMaxAllowedBytes ? malloc(length) : nullptr;
 }
 
 void FXJS_ArrayBufferAllocator::Free(void* data, size_t length) {
diff --git a/fxjs/fxjs_v8.h b/fxjs/fxjs_v8.h
index 50b0b2c6d0..bdcf425f53 100644
--- a/fxjs/fxjs_v8.h
+++ b/fxjs/fxjs_v8.h
@@ -111,6 +111,7 @@ class FXJS_PerIsolateData {
 };
 
 class FXJS_ArrayBufferAllocator : public v8::ArrayBuffer::Allocator {
+  static const size_t kMaxAllowedBytes = 0x10000000;
   void* Allocate(size_t length) override;
   void* AllocateUninitialized(size_t length) override;
   void Free(void* data, size_t length) override;
diff --git a/testing/resources/javascript/array_buffer.in b/testing/resources/javascript/array_buffer.in
new file mode 100644
index 0000000000..1f3e32d60d
--- /dev/null
+++ b/testing/resources/javascript/array_buffer.in
@@ -0,0 +1,68 @@
+{{header}}
+{{object 1 0}} <<
+  /Type /Catalog
+  /Pages 2 0 R
+  /OpenAction 10 0 R
+>>
+endobj
+{{object 2 0}} <<
+  /Type /Pages
+  /Count 1
+  /Kids [
+    3 0 R
+  ]
+>>
+endobj
+% Page number 0.
+{{object 3 0}} <<
+  /Type /Page
+  /Parent 2 0 R
+  /Resources <<
+    /Font <</F1 15 0 R>>
+  >>
+  /Contents [21 0 R]
+  /MediaBox [0 0 612 792]
+>>
+% OpenAction action
+{{object 10 0}} <<
+  /Type /Action
+  /S /JavaScript
+  /JS 11 0 R
+>>
+endobj
+% JS program to exexute
+{{object 11 0}} <<
+>>
+stream
+app.alert("This test attempts to make array buffers until exhausted");
+
+function test(size) {
+  var i, ab, ia;
+  app.alert("Trying size " + size);
+  ab = new ArrayBuffer(size);
+  ia = new Int32Array(ab);
+  for (i = 0; i < size / 4; ++i) {
+    ia[i] = i;
+  }
+  for (i = 0; i < size / 4; ++i) {
+    if (ia[i] != i) {
+      throw('aaaaaaah');
+    }
+  }
+}
+
+try {
+  test(1000);
+  test(2000000);
+  test(4000000000);
+} catch (e) {
+  app.alert("Caught error " + e);
+}
+endstream
+endobj
+{{xref}}
+trailer <<
+  /Root 1 0 R
+>>
+{{startxref}}
+%%EOF
diff --git a/testing/resources/javascript/array_buffer_expected.txt b/testing/resources/javascript/array_buffer_expected.txt
new file mode 100644
index 0000000000..f8f3bf227c
--- /dev/null
+++ b/testing/resources/javascript/array_buffer_expected.txt
@@ -0,0 +1,5 @@
+Alert: This test attempts to make array buffers until exhausted
+Alert: Trying size 1000
+Alert: Trying size 2000000
+Alert: Trying size 4000000000
+Alert: Caught error RangeError: Array buffer allocation failed