Changeset 275508 in webkit
- Timestamp:
- Apr 6, 2021 6:18:10 AM (3 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r275507 r275508 1 2021-04-06 Keith Miller <keith_miller@apple.com> 2 3 CloneDeserializer should use ArrayBuffer::tryCreate 4 https://bugs.webkit.org/show_bug.cgi?id=224218 5 6 Reviewed by Antti Koivisto. 7 8 This test was generated by a fuzzer so it allocates a large Array backing store 9 by doing Object.defineProperty on a large offset. That said, I chose to leave it 10 because it's sometimes useful to do things in different ways for testing. 11 12 Also, skip the test on windows because we seem to throw a stack overflow error. 13 Not sure why this happens but it's not super important that this particular 14 test runs on all ports as we're mostly trying to just unblock the fuzzer. 15 16 * fast/dom/Window/post-message-large-array-buffer-should-not-crash-expected.txt: Added. 17 * fast/dom/Window/post-message-large-array-buffer-should-not-crash.html: Added. 18 * platform/win/TestExpectations: 19 1 20 2021-04-06 Alicia Boya García <aboya@igalia.com> 2 21 -
trunk/LayoutTests/platform/win/TestExpectations
r275398 r275508 2881 2881 ######################### End list of UNREVIEWED failures ########################## 2882 2882 ################################################################################ 2883 2884 # For some reason this test causes a stack overflow on windows but it's not important to test on every platform anyway. 2885 fast/dom/Window/post-message-large-array-buffer-should-not-crash.html [ Skip ] 2883 2886 2884 2887 # This feature is only enabled on Mac and iOS right now -
trunk/Source/WebCore/ChangeLog
r275504 r275508 1 2021-04-06 Keith Miller <keith_miller@apple.com> 2 3 CloneDeserializer should use ArrayBuffer::tryCreate 4 https://bugs.webkit.org/show_bug.cgi?id=224218 5 6 Reviewed by Antti Koivisto. 7 8 Right now CloneDeserializer assumes that every ArrayBuffer allocation during 9 deserialization will succeed. This is silly since it's an array-like object. 10 It should call tryCreate and fail the deserialization instead. 11 12 Test: fast/dom/Window/post-message-large-array-buffer-should-not-crash.html 13 14 * bindings/js/SerializedScriptValue.cpp: 15 (WebCore::CloneDeserializer::readArrayBuffer): 16 1 17 2021-04-06 Stephan Szabo <stephan.szabo@sony.com> 2 18 -
trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp
r275151 r275508 2428 2428 if (m_ptr + length > m_end) 2429 2429 return false; 2430 arrayBuffer = ArrayBuffer::create(m_ptr, length); 2430 arrayBuffer = ArrayBuffer::tryCreate(m_ptr, length); 2431 if (!arrayBuffer) 2432 return false; 2431 2433 m_ptr += length; 2432 2434 return true;
Note: See TracChangeset
for help on using the changeset viewer.