Title: [204709] releases/WebKitGTK/webkit-2.12/Source/bmalloc
- Revision
- 204709
- Author
- [email protected]
- Date
- 2016-08-22 06:51:23 -0700 (Mon, 22 Aug 2016)
Log Message
Merge r201772 - Prevents integer overflow in Vector.h
https://bugs.webkit.org/show_bug.cgi?id=158455
<rdar://problem/20235469>
Patch by Pranjal Jumde <[email protected]> on 2016-06-07
Reviewed by Mark Lam.
* bmalloc/Vector.h:
(bmalloc::Vector<T>::reallocateBuffer):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.12/Source/bmalloc/ChangeLog (204708 => 204709)
--- releases/WebKitGTK/webkit-2.12/Source/bmalloc/ChangeLog 2016-08-22 13:33:00 UTC (rev 204708)
+++ releases/WebKitGTK/webkit-2.12/Source/bmalloc/ChangeLog 2016-08-22 13:51:23 UTC (rev 204709)
@@ -1,3 +1,14 @@
+2016-06-07 Pranjal Jumde <[email protected]>
+
+ Prevents integer overflow in Vector.h
+ https://bugs.webkit.org/show_bug.cgi?id=158455
+ <rdar://problem/20235469>
+
+ Reviewed by Mark Lam.
+
+ * bmalloc/Vector.h:
+ (bmalloc::Vector<T>::reallocateBuffer):
+
2016-05-17 Geoffrey Garen <[email protected]>
REGRESSION: JetStream crashes on some iPhones
Modified: releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Vector.h (204708 => 204709)
--- releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Vector.h 2016-08-22 13:33:00 UTC (rev 204708)
+++ releases/WebKitGTK/webkit-2.12/Source/bmalloc/bmalloc/Vector.h 2016-08-22 13:51:23 UTC (rev 204709)
@@ -198,6 +198,8 @@
template<typename T>
void Vector<T>::reallocateBuffer(size_t newCapacity)
{
+ RELEASE_BASSERT(newCapacity < std::numeric_limits<size_t>::max() / sizeof(T));
+
size_t vmSize = bmalloc::vmSize(newCapacity * sizeof(T));
T* newBuffer = vmSize ? static_cast<T*>(vmAllocate(vmSize)) : nullptr;
if (m_buffer) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
