|
|
@@ -1092,6 +1092,19 @@ class USDCParser {
|
|
|
|
|
|
// Seek to payload offset and read value
|
|
|
const offset = valueRep.payload;
|
|
|
+ if ( offset === 0 && isArray ) {
|
|
|
+
|
|
|
+ // Spec 16.3.9.3: Array payload 0 is an explicit empty-array sentinel.
|
|
|
+ return [];
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
+ if ( offset < 0 || offset >= this.buffer.byteLength ) {
|
|
|
+
|
|
|
+ throw new RangeError( 'USDCParser: Invalid payload offset ' + offset + ' for type ' + type + '.' );
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
const savedOffset = this.reader.tell();
|
|
|
this.reader.seek( offset );
|
|
|
|
|
|
@@ -1569,6 +1582,19 @@ class USDCParser {
|
|
|
|
|
|
}
|
|
|
|
|
|
+ if ( ! Number.isSafeInteger( size ) || size < 0 ) {
|
|
|
+
|
|
|
+ throw new RangeError( 'USDCParser: Invalid array size ' + size + ' for type ' + type + '.' );
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
+ if ( size > 0x7FFFFFFF ) {
|
|
|
+
|
|
|
+ // Crate stores counts as uint64, but JS typed arrays cannot represent all such sizes.
|
|
|
+ throw new RangeError( 'USDCParser: Array size ' + size + ' exceeds implementation limits.' );
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
if ( size === 0 ) return [];
|
|
|
|
|
|
// Handle compressed arrays
|
Mr.doob