Title: [291448] trunk/Source
- Revision
- 291448
- Author
- [email protected]
- Date
- 2022-03-17 16:34:16 -0700 (Thu, 17 Mar 2022)
Log Message
Fix crash in Bleacher Report due to bad JSObjectRef passed to API
https://bugs.webkit.org/show_bug.cgi?id=238048
<rdar://88766464>
Reviewed by Yusuke Suzuki.
Source/_javascript_Core:
Prior to the StructureID overhaul the JSObjectGetArrayBufferByteLength would
automatically check if the JSObjectRef passed to that function was null before
short circuiting to the non-typed array return value, 0. While technically valid
since derefencing null is UB, this meant the Clang was covering up this crash.
To fix this I'm adding an app specific workaround for the time being so Bleacher
Report can fix their code to no longer pass this nullptr.
* API/JSTypedArray.cpp:
(isBleecherReport):
(JSObjectGetArrayBufferByteLength):
Source/WTF:
* wtf/cocoa/RuntimeApplicationChecksCocoa.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/API/JSTypedArray.cpp (291447 => 291448)
--- trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-03-17 22:55:21 UTC (rev 291447)
+++ trunk/Source/_javascript_Core/API/JSTypedArray.cpp 2022-03-17 23:34:16 UTC (rev 291448)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Dominic Szablewski ([email protected])
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -36,6 +36,10 @@
#include "TypedArrayController.h"
#include <wtf/RefPtr.h>
+#if PLATFORM(IOS)
+#include <wtf/cocoa/RuntimeApplicationChecksCocoa.h>
+#endif
+
using namespace JSC;
// Helper functions.
@@ -361,6 +365,18 @@
return nullptr;
}
+#if PLATFORM(IOS)
+inline static bool isBleecherReport()
+{
+ auto bundleID = CFBundleGetIdentifier(CFBundleGetMainBundle());
+ return bundleID
+ && CFEqual(bundleID, CFSTR("com.bleacherreport.TeamStream"))
+ && !linkedOnOrAfter(SDKVersion::FirstWithoutBleecherReportQuirk);
+}
+#else
+inline static bool isBleecherReport() { return false; }
+#endif
+
size_t JSObjectGetArrayBufferByteLength(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*)
{
JSGlobalObject* globalObject = toJS(ctx);
@@ -367,6 +383,14 @@
VM& vm = globalObject->vm();
JSObject* object = toJS(objectRef);
+ if (!object) {
+ // For some reason prior to https://bugs.webkit.org/show_bug.cgi?id=235720 Clang would emit code
+ // to early return if objectRef is 0 but not after. Passing 0 should be invalid API use.
+ static bool shouldntCrash = isBleecherReport();
+ RELEASE_ASSERT(shouldntCrash);
+ return 0;
+ }
+
if (JSArrayBuffer* jsBuffer = jsDynamicCast<JSArrayBuffer*>(vm, object))
return jsBuffer->impl()->byteLength();
Modified: trunk/Source/_javascript_Core/ChangeLog (291447 => 291448)
--- trunk/Source/_javascript_Core/ChangeLog 2022-03-17 22:55:21 UTC (rev 291447)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-03-17 23:34:16 UTC (rev 291448)
@@ -1,3 +1,22 @@
+2022-03-17 Keith Miller <[email protected]>
+
+ Fix crash in Bleacher Report due to bad JSObjectRef passed to API
+ https://bugs.webkit.org/show_bug.cgi?id=238048
+ <rdar://88766464>
+
+ Reviewed by Yusuke Suzuki.
+
+ Prior to the StructureID overhaul the JSObjectGetArrayBufferByteLength would
+ automatically check if the JSObjectRef passed to that function was null before
+ short circuiting to the non-typed array return value, 0. While technically valid
+ since derefencing null is UB, this meant the Clang was covering up this crash.
+ To fix this I'm adding an app specific workaround for the time being so Bleacher
+ Report can fix their code to no longer pass this nullptr.
+
+ * API/JSTypedArray.cpp:
+ (isBleecherReport):
+ (JSObjectGetArrayBufferByteLength):
+
2022-03-17 Mikhail R. Gadelha <[email protected]>
Unreviewed, non-unified build fix
Modified: trunk/Source/WTF/ChangeLog (291447 => 291448)
--- trunk/Source/WTF/ChangeLog 2022-03-17 22:55:21 UTC (rev 291447)
+++ trunk/Source/WTF/ChangeLog 2022-03-17 23:34:16 UTC (rev 291448)
@@ -1,3 +1,13 @@
+2022-03-17 Keith Miller <[email protected]>
+
+ Fix crash in Bleacher Report due to bad JSObjectRef passed to API
+ https://bugs.webkit.org/show_bug.cgi?id=238048
+ <rdar://88766464>
+
+ Reviewed by Yusuke Suzuki.
+
+ * wtf/cocoa/RuntimeApplicationChecksCocoa.h:
+
2022-03-16 Myles C. Maxfield <[email protected]>
[WebGPU] Implement first draft of buffer mapping according to the spec
Modified: trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h (291447 => 291448)
--- trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h 2022-03-17 22:55:21 UTC (rev 291447)
+++ trunk/Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h 2022-03-17 23:34:16 UTC (rev 291448)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2022 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -86,6 +86,7 @@
FirstWithoutExpandoIndexedPropertiesOnWindow = DYLD_IOS_VERSION_15_0,
FirstThatDoesNotDrainTheMicrotaskQueueWhenCallingObjC = DYLD_IOS_VERSION_15_0,
FirstWithAuthorizationHeaderOnSameOriginRedirects = DYLD_IOS_VERSION_15_4,
+ FirstWithoutBleecherReportQuirk = DYLD_IOS_VERSION_16_0,
FirstForbiddingDotPrefixedFonts = DYLD_IOS_VERSION_16_0,
#elif PLATFORM(MAC)
FirstVersionThatSupportsInitConstructors = 0xA0A00, // OS X 10.10
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
