Context Navigation

← Previous Changeset
Next Changeset →

Changeset 275508 in webkit

Timestamp:

Apr 6, 2021 6:18:10 AM (3 years ago)

Author:

keith_miller@apple.com

Message:

CloneDeserializer should use ArrayBuffer::tryCreate
https://bugs.webkit.org/show_bug.cgi?id=224218

Reviewed by Antti Koivisto.

Source/WebCore:

Right now CloneDeserializer assumes that every ArrayBuffer allocation during
deserialization will succeed. This is silly since it's an array-like object.
It should call tryCreate and fail the deserialization instead.

Test: fast/dom/Window/post-message-large-array-buffer-should-not-crash.html

bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneDeserializer::readArrayBuffer):

LayoutTests:

This test was generated by a fuzzer so it allocates a large Array backing store
by doing Object.defineProperty on a large offset. That said, I chose to leave it
because it's sometimes useful to do things in different ways for testing.

Also, skip the test on windows because we seem to throw a stack overflow error.
Not sure why this happens but it's not super important that this particular
test runs on all ports as we're mostly trying to just unblock the fuzzer.

fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt: Added.
fast/dom/Window/post-message-large-array-buffer-should-not-crash.html: Added.
platform/win/TestExpectations:

Location:

trunk

Files:

: 2 added
: 4 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt (added)
LayoutTests/fast/dom/Window/post-message-large-array-buffer-should-not-crash.html (added)
LayoutTests/platform/win/TestExpectations (modified) (1 diff)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/bindings/js/SerializedScriptValue.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r275507
+                      r275508
+-04-06  Keith Miller  <keith_miller@apple.com>
+        CloneDeserializer should use ArrayBuffer::tryCreate
+        https://bugs.webkit.org/show_bug.cgi?id=224218
+        Reviewed by Antti Koivisto.
+        This test was generated by a fuzzer so it allocates a large Array backing store
+        by doing Object.defineProperty on a large offset. That said, I chose to leave it
+        because it's sometimes useful to do things in different ways for testing.
+        Also, skip the test on windows because we seem to throw a stack overflow error.
+        Not sure why this happens but it's not super important that this particular
+        test runs on all ports as we're mostly trying to just unblock the fuzzer.
+        * fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt: Added.
+        * fast/dom/Window/post-message-large-array-buffer-should-not-crash.html: Added.
+        * platform/win/TestExpectations:
 -04-06  Alicia Boya García  <aboya@igalia.com>

trunk/LayoutTests/platform/win/TestExpectations

-                      r275398
+                      r275508
 ######################### End list of UNREVIEWED failures ##########################
 ################################################################################
+# For some reason this test causes a stack overflow on windows but it's not important to test on every platform anyway.
+fast/dom/Window/post-message-large-array-buffer-should-not-crash.html [ Skip ]
 # This feature is only enabled on Mac and iOS right now

trunk/Source/WebCore/ChangeLog

-                      r275504
+                      r275508
+-04-06  Keith Miller  <keith_miller@apple.com>
+        CloneDeserializer should use ArrayBuffer::tryCreate
+        https://bugs.webkit.org/show_bug.cgi?id=224218
+        Reviewed by Antti Koivisto.
+        Right now CloneDeserializer assumes that every ArrayBuffer allocation during
+        deserialization will succeed. This is silly since it's an array-like object.
+        It should call tryCreate and fail the deserialization instead.
+        Test: fast/dom/Window/post-message-large-array-buffer-should-not-crash.html
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneDeserializer::readArrayBuffer):
 -04-06  Stephan Szabo  <stephan.szabo@sony.com>

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

-                      r275151
+                      r275508
         if (m_ptr + length > m_end)
             return false;
+        arrayBuffer = ArrayBuffer::create(m_ptr, length);
+        arrayBuffer = ArrayBuffer::tryCreate(m_ptr, length);
+        if (!arrayBuffer)
+            return false;
         m_ptr += length;
         return true;

Note: See TracChangeset for help on using the changeset viewer.