[webkit-changes] [272199] trunk/Source/WebCore

Tue, 02 Feb 2021 01:34:16 -0800

Title: [272199] trunk/Source/WebCore
Revision
272199
Author
[email protected]
Date
2021-02-02 01:33:36 -0800 (Tue, 02 Feb 2021)

Log Message

Missing exception check with new MediaStream(0)
https://bugs.webkit.org/show_bug.cgi?id=220355

Patch by Carlos Garcia Campos <[email protected]> on 2021-02-02
Reviewed by Mark Lam.

This is because the MediaStream constructor calls hasIteratorMethod() that can throw a exception, but it's not checked.

* bindings/scripts/CodeGeneratorJS.pm:
(GenerateOverloadDispatcher): Handle overload calls when the condition can throw a exception.
* bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::jsTestObjPrototypeFunction_overloadedMethodOverloadDispatcher):
* bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp:
(WebCore::JSTestOverloadedConstructorsWithSequenceDOMConstructor::construct):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (272198 => 272199)


--- trunk/Source/WebCore/ChangeLog	2021-02-02 09:22:10 UTC (rev 272198)
+++ trunk/Source/WebCore/ChangeLog	2021-02-02 09:33:36 UTC (rev 272199)
@@ -1,3 +1,19 @@
+2021-02-02  Carlos Garcia Campos  <[email protected]>
+
+        Missing exception check with new MediaStream(0)
+        https://bugs.webkit.org/show_bug.cgi?id=220355
+
+        Reviewed by Mark Lam.
+
+        This is because the MediaStream constructor calls hasIteratorMethod() that can throw a exception, but it's not checked.
+
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateOverloadDispatcher): Handle overload calls when the condition can throw a exception.
+        * bindings/scripts/test/JS/JSTestObj.cpp:
+        (WebCore::jsTestObjPrototypeFunction_overloadedMethodOverloadDispatcher):
+        * bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp:
+        (WebCore::JSTestOverloadedConstructorsWithSequenceDOMConstructor::construct):
+
 2021-02-02  Rob Buis  <[email protected]>
 
         Provide mock dtmf sender

Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (272198 => 272199)


--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm	2021-02-02 09:22:10 UTC (rev 272198)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm	2021-02-02 09:33:36 UTC (rev 272199)
@@ -3660,12 +3660,23 @@
     my %allSets = ComputeEffectiveOverloadSet($operation->{overloads});
 
     my $generateOverloadCallIfNecessary = sub {
-        my ($overload, $condition, $include) = @_;
+        my ($overload, $condition, $conditionCanThrow, $include) = @_;
         return unless $overload;
         my $conditionalString = $codeGenerator->GenerateConditionalString($overload);
         push(@implContent, "#if ${conditionalString}\n") if $conditionalString;
-        push(@implContent, "        if ($condition)\n    ") if $condition;
-        push(@implContent, "        RELEASE_AND_RETURN(throwScope, (" . $overloadFunctionPrefix . $overload->{overloadIndex} . $overloadFunctionSuffix . "(${parametersToForward})));\n");
+        if ($condition && $conditionCanThrow) {
+            push(@implContent, "        {\n");
+            push(@implContent, "            bool success = $condition;\n");
+            push(@implContent, "            RETURN_IF_EXCEPTION(throwScope, { });\n");
+            push(@implContent, "            if (success)\n");
+            push(@implContent, "                RELEASE_AND_RETURN(throwScope, (" . $overloadFunctionPrefix . $overload->{overloadIndex} . $overloadFunctionSuffix . "(${parametersToForward})));\n");
+            push(@implContent, "        }\n");
+        } elsif ($condition) {
+            push(@implContent, "        if ($condition)\n");
+            push(@implContent, "            RELEASE_AND_RETURN(throwScope, (" . $overloadFunctionPrefix . $overload->{overloadIndex} . $overloadFunctionSuffix . "(${parametersToForward})));\n");
+        } else {
+            push(@implContent, "        RELEASE_AND_RETURN(throwScope, (" . $overloadFunctionPrefix . $overload->{overloadIndex} . $overloadFunctionSuffix . "(${parametersToForward})));\n");
+        }
         push(@implContent, "#endif\n") if $conditionalString;
         AddToImplIncludes($include, $overload->extendedAttributes->{Conditional}) if $include;
     };
@@ -3779,7 +3790,7 @@
 
             # FIXME: Avoid invoking GetMethod(object, Symbol.iterator) again in convert<IDLSequence<T>>(...).
             $overload = GetOverloadThatMatches($S, $d, \&$isSequenceOrFrozenArrayParameter);
-            &$generateOverloadCallIfNecessary($overload, "hasIteratorMethod(lexicalGlobalObject, distinguishingArg)", "<_javascript_Core/IteratorOperations.h>");
+            &$generateOverloadCallIfNecessary($overload, "hasIteratorMethod(lexicalGlobalObject, distinguishingArg)", 1, "<_javascript_Core/IteratorOperations.h>");
 
             $overload = GetOverloadThatMatches($S, $d, \&$isDictionaryOrRecordOrObjectOrCallbackInterfaceParameter);
             &$generateOverloadCallIfNecessary($overload, "distinguishingArg.isObject()");

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp (272198 => 272199)


--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp	2021-02-02 09:22:10 UTC (rev 272198)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp	2021-02-02 09:33:36 UTC (rev 272199)
@@ -7795,8 +7795,12 @@
             RELEASE_AND_RETURN(throwScope, (jsTestObjPrototypeFunction_overloadedMethod9Body(lexicalGlobalObject, callFrame, castedThis)));
         if (distinguishingArg.isObject() && asObject(distinguishingArg)->inherits<JSBlob>(vm))
             RELEASE_AND_RETURN(throwScope, (jsTestObjPrototypeFunction_overloadedMethod13Body(lexicalGlobalObject, callFrame, castedThis)));
-        if (hasIteratorMethod(lexicalGlobalObject, distinguishingArg))
-            RELEASE_AND_RETURN(throwScope, (jsTestObjPrototypeFunction_overloadedMethod7Body(lexicalGlobalObject, callFrame, castedThis)));
+        {
+            bool success = hasIteratorMethod(lexicalGlobalObject, distinguishingArg);
+            RETURN_IF_EXCEPTION(throwScope, { });
+            if (success)
+                RELEASE_AND_RETURN(throwScope, (jsTestObjPrototypeFunction_overloadedMethod7Body(lexicalGlobalObject, callFrame, castedThis)));
+        }
         if (distinguishingArg.isObject())
             RELEASE_AND_RETURN(throwScope, (jsTestObjPrototypeFunction_overloadedMethod5Body(lexicalGlobalObject, callFrame, castedThis)));
         if (distinguishingArg.isNumber())

Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp (272198 => 272199)


--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp	2021-02-02 09:22:10 UTC (rev 272198)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp	2021-02-02 09:33:36 UTC (rev 272199)
@@ -136,8 +136,12 @@
         JSValue distinguishingArg = callFrame->uncheckedArgument(0);
         if (distinguishingArg.isUndefined())
             RELEASE_AND_RETURN(throwScope, (constructJSTestOverloadedConstructorsWithSequence1(lexicalGlobalObject, callFrame)));
-        if (hasIteratorMethod(lexicalGlobalObject, distinguishingArg))
-            RELEASE_AND_RETURN(throwScope, (constructJSTestOverloadedConstructorsWithSequence1(lexicalGlobalObject, callFrame)));
+        {
+            bool success = hasIteratorMethod(lexicalGlobalObject, distinguishingArg);
+            RETURN_IF_EXCEPTION(throwScope, { });
+            if (success)
+                RELEASE_AND_RETURN(throwScope, (constructJSTestOverloadedConstructorsWithSequence1(lexicalGlobalObject, callFrame)));
+        }
         RELEASE_AND_RETURN(throwScope, (constructJSTestOverloadedConstructorsWithSequence2(lexicalGlobalObject, callFrame)));
     }
     return throwVMTypeError(lexicalGlobalObject, throwScope);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to