[webkit-changes] [229259] releases/WebKitGTK/webkit-2.20

Mon, 05 Mar 2018 04:34:36 -0800

Title: [229259] releases/WebKitGTK/webkit-2.20
Revision
229259
Author
[email protected]
Date
2018-03-05 04:34:12 -0800 (Mon, 05 Mar 2018)

Log Message

Merge r229092 - JSC crash with `import("")`
https://bugs.webkit.org/show_bug.cgi?id=183175

Reviewed by Saam Barati.

JSTests:

* stress/import-with-empty-string.js: Added.

Source/_javascript_Core:

Add file existence and file type check for module loader implementation in jsc.cpp.
This is not safe for TOCTOU, but it is OK since this functionality is used for the
JSC shell (jsc.cpp): testing purpose.

* jsc.cpp:
(fillBufferWithContentsOfFile):
(fetchModuleFromLocalFileSystem):

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog (229258 => 229259)


--- releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-03-05 12:34:05 UTC (rev 229258)
+++ releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-03-05 12:34:12 UTC (rev 229259)
@@ -1,3 +1,12 @@
+2018-02-28  Yusuke Suzuki  <[email protected]>
+
+        JSC crash with `import("")`
+        https://bugs.webkit.org/show_bug.cgi?id=183175
+
+        Reviewed by Saam Barati.
+
+        * stress/import-with-empty-string.js: Added.
+
 2018-02-27  Yusuke Suzuki  <[email protected]>
 
         Unreviewed, skip FTL tests if FTL is disabled

Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/import-with-empty-string.js (0 => 229259)


--- releases/WebKitGTK/webkit-2.20/JSTests/stress/import-with-empty-string.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/import-with-empty-string.js	2018-03-05 12:34:12 UTC (rev 229259)
@@ -0,0 +1,2 @@
+import("").then($vm.abort, function () {
+});

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (229258 => 229259)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-03-05 12:34:05 UTC (rev 229258)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-03-05 12:34:12 UTC (rev 229259)
@@ -1,3 +1,18 @@
+2018-02-28  Yusuke Suzuki  <[email protected]>
+
+        JSC crash with `import("")`
+        https://bugs.webkit.org/show_bug.cgi?id=183175
+
+        Reviewed by Saam Barati.
+
+        Add file existence and file type check for module loader implementation in jsc.cpp.
+        This is not safe for TOCTOU, but it is OK since this functionality is used for the
+        JSC shell (jsc.cpp): testing purpose.
+
+        * jsc.cpp:
+        (fillBufferWithContentsOfFile):
+        (fetchModuleFromLocalFileSystem):
+
 2018-02-27  Keith Miller  <[email protected]>
 
         Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr)

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/jsc.cpp (229258 => 229259)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/jsc.cpp	2018-03-05 12:34:05 UTC (rev 229258)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/jsc.cpp	2018-03-05 12:34:12 UTC (rev 229259)
@@ -77,6 +77,8 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 #include <thread>
 #include <type_traits>
 #include <wtf/CommaPrinter.h>
@@ -853,12 +855,16 @@
 
 static RefPtr<Uint8Array> fillBufferWithContentsOfFile(FILE* file)
 {
-    fseek(file, 0, SEEK_END);
-    size_t bufferCapacity = ftell(file);
-    fseek(file, 0, SEEK_SET);
+    if (fseek(file, 0, SEEK_END) == -1)
+        return nullptr;
+    long bufferCapacity = ftell(file);
+    if (bufferCapacity == -1)
+        return nullptr;
+    if (fseek(file, 0, SEEK_SET) == -1)
+        return nullptr;
     RefPtr<Uint8Array> result = Uint8Array::create(bufferCapacity);
     size_t readSize = fread(result->data(), 1, bufferCapacity, file);
-    if (readSize != bufferCapacity)
+    if (readSize != static_cast<size_t>(bufferCapacity))
         return nullptr;
     return result;
 }
@@ -881,9 +887,13 @@
 {
     // We might have injected "use strict"; at the top.
     size_t initialSize = buffer.size();
-    fseek(file, 0, SEEK_END);
-    size_t bufferCapacity = ftell(file);
-    fseek(file, 0, SEEK_SET);
+    if (fseek(file, 0, SEEK_END) == -1)
+        return false;
+    long bufferCapacity = ftell(file);
+    if (bufferCapacity == -1)
+        return false;
+    if (fseek(file, 0, SEEK_SET) == -1)
+        return false;
     buffer.resize(bufferCapacity + initialSize);
     size_t readSize = fread(buffer.data() + initialSize, 1, buffer.size(), file);
     return readSize == buffer.size() - initialSize;
@@ -918,9 +928,23 @@
     // https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247.aspx#maxpath
     // Use long UNC to pass the long path name to the Windows APIs.
     String longUNCPathName = WTF::makeString("\\\\?\\", fileName);
-    FILE* f = _wfopen(stringToNullTerminatedWChar(longUNCPathName).data(), L"rb");
+    auto pathName = stringToNullTerminatedWChar(longUNCPathName);
+    struct _stat status { };
+    if (_wstat(pathName.data(), &status))
+        return false;
+    if ((status.st_mode & S_IFMT) != S_IFREG)
+        return false;
+
+    FILE* f = _wfopen(pathName.data(), L"rb");
 #else
-    FILE* f = fopen(fileName.utf8().data(), "r");
+    auto pathName = fileName.utf8();
+    struct stat status { };
+    if (stat(pathName.data(), &status))
+        return false;
+    if ((status.st_mode & S_IFMT) != S_IFREG)
+        return false;
+
+    FILE* f = fopen(pathName.data(), "r");
 #endif
     if (!f) {
         fprintf(stderr, "Could not open file: %s\n", fileName.utf8().data());

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to