Changeset 144106 in webkit


Ignore:
Timestamp:
Feb 26, 2013, 2:13:51 PM (12 years ago)
Author:
jschuh@chromium.org
Message:

Merge 143811
BUG=webkit.org/b/110394
TBR=jschuh@chromium.org
Review URL: https://codereview.chromium.org/12334103

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/chromium/1364/Source/WebCore/rendering/RenderArena.cpp

    r133119 r144106  
    3737#include "RenderArena.h"
    3838
     39#include <limits>
    3940#include <stdlib.h>
    4041#include <string.h>
    4142#include <wtf/Assertions.h>
     43#include <wtf/CryptographicallyRandomNumber.h>
    4244
    4345#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
     
    9092    // RenderObject pointer.
    9193    // See http://download.crowdstrike.com/papers/hes-exploiting-a-coalmine.pdf.
    92 
    93     // The bottom bits are predictable because the binary is loaded on a
    94     // boundary. This just shifts most of those predictable bits out.
    95     m_mask = ~(reinterpret_cast<uintptr_t>(WTF::fastMalloc) >> 13);
     94    WTF::cryptographicallyRandomValues(&m_mask, sizeof(m_mask));
     95    m_mask |= (static_cast<uintptr_t>(3) << (std::numeric_limits<uintptr_t>::digits - 2)) | 1;
    9696}
    9797
Note: See TracChangeset for help on using the changeset viewer.