Changeset 140633 in webkit

Timestamp:

Jan 23, 2013 6:55:32 PM (11 years ago)

Author:

inferno@chromium.org

Message:

Add support for ASSERT_WITH_SECURITY_IMPLICATION.
​https://bugs.webkit.org/show_bug.cgi?id=107699

Reviewed by Eric Seidel.

Source/WebCore:

• dom/ContainerNode.cpp:

(WebCore::ContainerNode::parserInsertBefore): Use ASSERT_WITH_SECURITY_IMPLICATION
for document confusion ASSERT(document() == newChild->document())
(WebCore::ContainerNode::parserAppendChild): same.

Source/WTF:

• wtf/Assertions.h: Add ASSERT_WITH_SECURITY_IMPLICATION to

indicate possible security vulnerabily and enable it by default
in fuzzing builds.

• wtf/Vector.h: Use ASSERT_WITH_SECURITY_IMPLICATION for

bounds check on [] operator.

Location:

trunk/Source

Files:

• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/Assertions.h (modified) (1 diff)
• WTF/wtf/Vector.h (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/dom/ContainerNode.cpp (modified) (2 diffs)

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2013-01-23  Abhishek Arya  <inferno@chromium.org>
+
+        Add support for ASSERT_WITH_SECURITY_IMPLICATION.
+        https://bugs.webkit.org/show_bug.cgi?id=107699
+
+        Reviewed by Eric Seidel.
+
+        * wtf/Assertions.h: Add ASSERT_WITH_SECURITY_IMPLICATION to
+        indicate possible security vulnerabily and enable it by default
+        in fuzzing builds.
+        * wtf/Vector.h: Use ASSERT_WITH_SECURITY_IMPLICATION for
+        bounds check on [] operator.
+
 2013-01-23  Tony Chang  <tony@chromium.org>
 

trunk/Source/WTF/wtf/Assertions.h

@@ -267 +267 @@
 #endif
 
+/* ASSERT_WITH_SECURITY_IMPLICATION
+   
+   Failure of this assertion indicates a possible security vulnerability.
+   Class of vulnerabilities that it tests include bad casts, out of bounds
+   accesses, use-after-frees, etc. Please file a bug using the security
+   template - https://bugs.webkit.org/enter_bug.cgi?product=Security.
+
+*/
+#ifdef ADDRESS_SANITIZER
+
+#define ASSERT_WITH_SECURITY_IMPLICATION(assertion) \
+    (!(assertion) ? \
+        (WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, #assertion), \
+         CRASH()) : \
+        (void)0)
+
+#else
+
+#define ASSERT_WITH_SECURITY_IMPLICATION(assertion) ASSERT(assertion)
+
+#endif
+
 /* ASSERT_WITH_MESSAGE */
 

trunk/Source/WTF/wtf/Vector.h

@@ -548 +548 @@
         T& at(size_t i) 
         { 
-            ASSERT(i < size());
+            ASSERT_WITH_SECURITY_IMPLICATION(i < size());
             return m_buffer.buffer()[i]; 
         }
         const T& at(size_t i) const 
         {
-            ASSERT(i < size());
+            ASSERT_WITH_SECURITY_IMPLICATION(i < size());
             return m_buffer.buffer()[i]; 
         }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-01-23  Abhishek Arya  <inferno@chromium.org>
+
+        Add support for ASSERT_WITH_SECURITY_IMPLICATION.
+        https://bugs.webkit.org/show_bug.cgi?id=107699
+
+        Reviewed by Eric Seidel.
+
+        * dom/ContainerNode.cpp:
+        (WebCore::ContainerNode::parserInsertBefore): Use ASSERT_WITH_SECURITY_IMPLICATION
+        for document confusion ASSERT(document() == newChild->document())
+        (WebCore::ContainerNode::parserAppendChild): same.
+
 2013-01-23  Ian Vollick  <vollick@chromium.org>
 

trunk/Source/WebCore/dom/ContainerNode.cpp

@@ -324 +324 @@
     ASSERT(nextChild);
     ASSERT(nextChild->parentNode() == this);
-    ASSERT(document() == newChild->document());
     ASSERT(!newChild->isDocumentFragment());
+    ASSERT_WITH_SECURITY_IMPLICATION(document() == newChild->document());
 
     if (nextChild->previousSibling() == newChild || nextChild == newChild) // nothing to do
@@ -697 +697 @@
     ASSERT(!newChild->parentNode()); // Use appendChild if you need to handle reparenting (and want DOM mutation events).
     ASSERT(!newChild->isDocumentFragment());
-    ASSERT(document() == newChild->document());
+    ASSERT_WITH_SECURITY_IMPLICATION(document() == newChild->document());
 
     Node* last = m_lastChild;