From 21baffd9a2a60ee38f2857b72dd4e55a35f3b2cd Mon Sep 17 00:00:00 2001
From: jmoenig <jens@moenig.org>
Date: Tue, 9 Feb 2021 22:30:37 +0100
Subject: [PATCH] limit crash-dangerous matrix-exploding ops to 1 MM elements
 (reshape, crossproduct)

---
 HISTORY.md   |  1 +
 src/lists.js | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/HISTORY.md b/HISTORY.md
index 86ee836c..101dca82 100755
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -16,6 +16,7 @@
 * threads: enhanced MIN and MAX to also operate on text
 * threads: enhanced list attributes 'rank', 'shape' and 'ravel' to also handle scalars
 * threads: enhanced 'reshape' to also handle scalars
+* lists: limit crash-dangerous matrix-exploding ops to 1 MM elements (reshape, crossproduct)
 
 ### 2021-02-08
 * lists, objects, threads: new RESHAPE primitive
diff --git a/src/lists.js b/src/lists.js
index 88ffb7dd..2d2548b9 100644
--- a/src/lists.js
+++ b/src/lists.js
@@ -613,6 +613,11 @@ List.prototype.reshape = function (dimensions) {
         // truncate excess elements from the source
         trg = src.slice(0, size);
     } else {
+        if (size > src.length && dimensions.length() > 2 && size > 1000000) {
+            // limit usage of reshape to grow to a maximum size of 1MM rows
+            // in higher dimensions to prevent accidental dimension overflow
+            throw new Error('exceeding the size limit for reshape');
+        }
         // pad the source by repeating its existing elements
         trg = src.slice();
         while (trg.length < size) {
@@ -667,6 +672,12 @@ List.prototype.crossproduct = function () {
         size = lengths.itemsArray().reduce((a, b) => a * b),
         i, k, row, factor;
 
+    // limit crossproduct to a maximum size of 1MM rows
+    // to guard against accidental memory overflows in Chrome
+    if (size > 1000000) {
+        throw new Error('exceeding the size limit for cross product');
+    }
+
     for (i = 1; i <= size; i += 1) {
         row = new List();
         factor = 1;