Changeset 230101 in webkit
- Timestamp:
- Mar 30, 2018 5:05:34 AM (6 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r230026 r230101 1 2018-03-30 Robin Morisset <rmorisset@apple.com> 2 3 Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType 4 https://bugs.webkit.org/show_bug.cgi?id=183657 5 6 Reviewed by Keith Miller. 7 8 * stress/large-unshift-splice.js: Added. 9 (make_contig_arr): 10 1 11 2018-03-28 Robin Morisset <rmorisset@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r230098 r230101 1 2018-03-30 Robin Morisset <rmorisset@apple.com> 2 3 Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType 4 https://bugs.webkit.org/show_bug.cgi?id=183657 5 <rdar://problem/38464399> 6 7 Reviewed by Keith Miller. 8 9 There was just a missing check in unshiftCountForIndexingType. 10 I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path', 11 and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp). 12 Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk. 13 14 * runtime/ArrayPrototype.cpp: 15 (JSC::unshift): 16 * runtime/JSArray.cpp: 17 (JSC::JSArray::unshiftCountWithAnyIndexingType): 18 * runtime/JSObject.h: 19 (JSC::JSObject::ensureLength): 20 1 21 2018-03-29 Mark Lam <mark.lam@apple.com> 2 22 -
trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
r229850 r230101 349 349 350 350 // Guard against overflow. 351 if (count > (UINT_MAX - length)) {351 if (count > UINT_MAX - length) { 352 352 throwOutOfMemoryError(exec, scope); 353 353 return; -
trunk/Source/JavaScriptCore/runtime/JSArray.cpp
r228576 r230101 1061 1061 return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm)); 1062 1062 } 1063 1063 1064 if (oldLength + count > MAX_STORAGE_VECTOR_LENGTH) 1065 return false; 1066 1064 1067 if (!ensureLength(vm, oldLength + count)) { 1065 1068 throwOutOfMemoryError(exec, scope); 1066 return false;1069 return true; 1067 1070 } 1068 1071 butterfly = this->butterfly(); … … 1105 1108 return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(vm)); 1106 1109 } 1107 1110 1111 if (oldLength + count > MAX_STORAGE_VECTOR_LENGTH) 1112 return false; 1113 1108 1114 if (!ensureLength(vm, oldLength + count)) { 1109 1115 throwOutOfMemoryError(exec, scope); 1110 return false;1116 return true; 1111 1117 } 1112 1118 butterfly = this->butterfly(); -
trunk/Source/JavaScriptCore/runtime/JSObject.h
r230092 r230101 983 983 bool WARN_UNUSED_RETURN ensureLength(VM& vm, unsigned length) 984 984 { 985 ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);985 RELEASE_ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH); 986 986 ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType())); 987 987
Note: See TracChangeset
for help on using the changeset viewer.