chakra-core · chakrabot · Jan 3, 2017 · Dec 28, 2016 · tcare · Dec 29, 2016
diff --git a/lib/Runtime/Library/ArrayBuffer.cpp b/lib/Runtime/Library/ArrayBuffer.cpp
@@ -211,7 +211,7 @@ namespace Js
         uint32 byteLength = 0;
         if (args.Info.Count > 1)
         {
-            byteLength = ToIndex(args[1], JSERR_ArrayLengthConstructIncorrect, scriptContext, MaxArrayBufferLength, false);
+            byteLength = ToIndex(args[1], JSERR_ArrayLengthConstructIncorrect, scriptContext, MaxArrayBufferLength);
         }
 
         RecyclableObject* newArr = scriptContext->GetLibrary()->CreateArrayBuffer(byteLength);

diff --git a/lib/Runtime/Library/DataView.cpp b/lib/Runtime/Library/DataView.cpp
@@ -24,7 +24,6 @@ namespace Js
         uint32 byteLength = 0;
         uint32 mappedLength;
         int32 offset = 0;
-        double numberOffset = 0;
         ArrayBufferBase* arrayBuffer = nullptr;
         DataView* dataView;
 
@@ -49,7 +48,7 @@ namespace Js
             {
             case S_OK:
             case S_FALSE:
-                arrayBuffer = static_cast<ArrayBuffer *> (ab);
+                arrayBuffer = ab;
                 // Both of these cases will be handled by the arrayBuffer null check.
                 break;
 
@@ -74,50 +73,37 @@ namespace Js
             }
         }
 
-        //4.    Let numberOffset be ToNumber(byteOffset).
-        //5.    Let offset be ToInteger(numberOffset).
-        //6.    ReturnIfAbrupt(offset).
-        //7.    If numberOffset <> offset or offset < 0, throw a RangeError exception.
+        //4.    Let offset be ToIndex(byteOffset).
         if (args.Info.Count > 2)
         {
             Var secondArgument = args[2];
-            numberOffset = JavascriptConversion::ToNumber(secondArgument, scriptContext);
-            offset = JavascriptConversion::ToInt32(numberOffset);
-
-            if (offset < 0 ||
-                numberOffset != offset)
-            {
-                JavascriptError::ThrowRangeError(
-                    scriptContext, JSERR_DataView_InvalidArgument, _u("byteOffset"));
-            }
+            offset = ArrayBuffer::ToIndex(secondArgument, JSERR_ArrayLengthConstructIncorrect, scriptContext, ArrayBuffer::MaxArrayBufferLength, false);
         }
 
-        //8.    If IsDetachedBuffer(buffer) is true, throw a TypeError exception.
+        //5.    If IsDetachedBuffer(buffer) is true, throw a TypeError exception.
         if (arrayBuffer->IsDetached())
         {
             JavascriptError::ThrowTypeError(scriptContext, JSERR_This_NeedDataView);
         }
 
-        //9.    Let bufferByteLength be the value of buffer's[[ArrayBufferByteLength]] internal slot.
-        //10.   If offset > bufferByteLength, throw a RangeError exception.
-
+        //6.    Let bufferByteLength be the value of buffer's[[ArrayBufferByteLength]] internal slot.
+        //7.   If offset > bufferByteLength, throw a RangeError exception.
         byteLength = arrayBuffer->GetByteLength();
         if ((uint32)offset > byteLength)
         {
             JavascriptError::ThrowRangeError(
                 scriptContext, JSERR_DataView_InvalidArgument, _u("byteOffset"));
         }
 
-        //11.   If byteLength is undefined, then
+        //8.   If byteLength is either not present or is undefined, then
         //      a.  Let viewByteLength be bufferByteLength - offset.
-        //12.   Else,
-        //      a.  Let viewByteLength be ToLength(byteLength).
-        //      b.  ReturnIfAbrupt(viewLength).
-        //      c.  If offset + viewByteLength > bufferByteLength, throw a RangeError exception.
+        //9.   Else,
+        //      a.  Let viewByteLength be ToIndex(byteLength).
+        //      b.  If offset + viewByteLength > bufferByteLength, throw a RangeError exception.
         if (args.Info.Count > 3 && !JavascriptOperators::IsUndefinedObject(args[3]))
             {
                 Var thirdArgument = args[3];
-                mappedLength = (uint32)JavascriptConversion::ToLength(thirdArgument, scriptContext);
+                mappedLength = ArrayBuffer::ToIndex(thirdArgument, JSERR_ArrayLengthConstructIncorrect, scriptContext, ArrayBuffer::MaxArrayBufferLength, false);
                 uint32 viewRange = mappedLength + offset;
 
                 if (viewRange > byteLength || viewRange < mappedLength) // overflow indicates out-of-range
@@ -131,13 +117,12 @@ namespace Js
             mappedLength = byteLength - offset;
         }
 
-        //13.   Let O be OrdinaryCreateFromConstructor(NewTarget, "%DataViewPrototype%", [[DataView]], [[ViewedArrayBuffer]], [[ByteLength]], [[ByteOffset]]).
-        //14.   ReturnIfAbrupt(O).
-        //15.   Set O's[[DataView]] internal slot to true.
-        //16.   Set O's[[ViewedArrayBuffer]] internal slot to buffer.
-        //17.   Set O's[[ByteLength]] internal slot to viewByteLength.
-        //18.   Set O's[[ByteOffset]] internal slot to offset.
-        //19.   Return O.
+        //10.   Let O be OrdinaryCreateFromConstructor(NewTarget, "%DataViewPrototype%", [[DataView]], [[ViewedArrayBuffer]], [[ByteLength]], [[ByteOffset]]).
+        //11.   Set O's[[DataView]] internal slot to true.
+        //12.   Set O's[[ViewedArrayBuffer]] internal slot to buffer.
+        //13.   Set O's[[ByteLength]] internal slot to viewByteLength.
+        //14.   Set O's[[ByteOffset]] internal slot to offset.
+        //15.   Return O.
         dataView = scriptContext->GetLibrary()->CreateDataView(arrayBuffer, offset, mappedLength);
         return isCtorSuperCall ?
             JavascriptOperators::OrdinaryCreateFromConstructor(RecyclableObject::FromVar(newTarget), dataView, nullptr, scriptContext) :

diff --git a/lib/Runtime/Library/TypedArray.cpp b/lib/Runtime/Library/TypedArray.cpp
@@ -388,6 +388,7 @@ namespace Js
     Var TypedArrayBase::CreateNewInstance(Arguments& args, ScriptContext* scriptContext, uint32 elementSize, PFNCreateTypedArray pfnCreateTypedArray)
     {
         uint32 byteLength = 0;
+        uint32 newByteLength = 0;
         int32 offset = 0;
         int32 mappedLength = -1;
         uint32 elementCount = 0;
@@ -509,12 +510,15 @@ namespace Js
             if (args.Info.Count > 3 && !JavascriptOperators::IsUndefinedObject(args[3]))
             {
                 mappedLength = ArrayBuffer::ToIndex(args[3], JSERR_InvalidTypedArrayLength, scriptContext, ArrayBuffer::MaxArrayBufferLength / elementSize, false);
+                newByteLength = mappedLength * elementSize;
 
-                if ((uint32)mappedLength > (byteLength - offset)/ elementSize)
+                if (offset + newByteLength > byteLength)
                 {
                     JavascriptError::ThrowRangeError(
                         scriptContext, JSERR_InvalidTypedArrayLength);
                 }
+
+                byteLength = newByteLength;
             }
             else
             {

diff --git a/test/typedarray/TypedArrayBuiltins.js b/test/typedarray/TypedArrayBuiltins.js
@@ -338,6 +338,60 @@ var tests = [
                 test(taCtor);
             }
         }
+    },
+    {
+        name: "TypedArray : Error cases for constructor TypedArray( buffer, byteOffset, length )",
+        body: function () {
+            var sourceArrayBuffer1 = new ArrayBuffer(10);
+
+            // offset > byteLength
+            function TestOffsetBeyondSourceArrayBufferLength()
+            {
+                new Int16Array(sourceArrayBuffer1, 12);
+            }
+
+            assert.throws(
+                TestOffsetBeyondSourceArrayBufferLength, 
+                RangeError, 
+                "TypedArray: Expected the function to throw RangeError as (offset > byteLength).", 
+                "Invalid offset/length when creating typed array")
+
+            // offset % elementSize != 0
+            function TestIncorrectOffset()
+            {
+                new Int16Array(sourceArrayBuffer1, 7, 1);
+            }
+
+            assert.throws(
+                TestIncorrectOffset, 
+                RangeError, 
+                "TypedArray: Expected the function to throw RangeError as (offset % elementSize) != 0.", 
+                "Invalid offset/length when creating typed array")
+
+            // (Length * elementSize + offset) beyond array buffer length.
+            function TestLengthBeyondSourceArrayBufferLength()
+            {
+                new Int16Array(sourceArrayBuffer1, 6, 4);
+            }
+
+            assert.throws(
+                TestLengthBeyondSourceArrayBufferLength, 
+                RangeError, 
+                "TypedArray: Expected the function to throw RangeError as ((Length * elementSize + offset)) != byteLength.", 
+                "Invalid offset/length when creating typed array")
+
+            // (byteLength - offset) % elementSize != 0
+            function TestOffsetPlusElementSizeBeyondSourceArrayBufferLength()
+            {
+                new Int32Array(sourceArrayBuffer1, 4);
+            }
+
+            assert.throws(
+                TestOffsetPlusElementSizeBeyondSourceArrayBufferLength, 
+                RangeError, 
+                "TypedArray: Expected the function to throw RangeError as (byteLength - offset) % elementSize != 0.", 
+                "Invalid offset/length when creating typed array")
+        }
     }
 ];