Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: aac4cb050d4e9641f427de285f145034c317456f https://github.com/WebKit/WebKit/commit/aac4cb050d4e9641f427de285f145034c317456f Author: Mark Lam <mark....@apple.com> Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths: M Source/JavaScriptCore/assembler/AssemblerBuffer.h M Source/WTF/wtf/PtrTag.h Log Message: ----------- ARM64EHash should be using the PAC DA key instead of DB. https://bugs.webkit.org/show_bug.cgi?id=262938 rdar://116679398 Reviewed by Justin Michaud. Currently, it uses the PAC DB key. However, the PAC DB key is already used by for the PACCage for protecting TypedArray vector pointers. Using the PAC DA key instead would ensure that there is no collision between the "namespace"s of PACCage pointers and ARM64EHash intermediate values. * Source/JavaScriptCore/assembler/AssemblerBuffer.h: (JSC::ARM64EHash::nextValue): (JSC::ARM64EHash::currentHash): (JSC::ARM64EHash::setUpdatedHash): * Source/WTF/wtf/PtrTag.h: (WTF::untagInt): (WTF::tagInt): Originally-landed-as: 267815.228@safari-7617-branch (4eda4ebd52c1). rdar://119592222 Canonical link: https://commits.webkit.org/272087@main Commit: 3a900e192fe7c22dccc007fde344d3a373476175 https://github.com/WebKit/WebKit/commit/3a900e192fe7c22dccc007fde344d3a373476175 Author: Mark Lam <mark....@apple.com> Date: 2023-12-14 (Thu, 14 Dec 2023) Changed paths: M LayoutTests/fast/storage/serialized-script-value.html M Source/WebCore/bindings/js/SerializedScriptValue.cpp Log Message: ----------- An Array index in CloneSerializer and CloneDeserializer can be confused for NonIndexPropertiesTag. https://bugs.webkit.org/show_bug.cgi?id=262616 rdar://116034413 Reviewed by Keith Miller, Sihui Liu and Chris Dumez. CloneSerializer and CloneDeserializer were previously using NonIndexPropertiesTag as the terminator of the indexed property section of an Array. However, NonIndexPropertiesTag's encoding is 0xFFFFFFFD, which is less than MAX_ARRAY_INDEX (0xFFFFFFFE) i.e. an index of 0xFFFFFFFD can be confused for the NonIndexPropertiesTag, resulting type confusion. This patch changes the structure of a serialized Array to always terminate its indexed property section with a TerminatorTag (0xFFFFFFFF) first before looking for either a NonIndexPropertiesTag or another TerminatorTag. The presence of a NonIndexPropertiesTag after the 1st TerminatorTag indicates the presence of a non-indexed properties section. The presense of a TerminatorTag immediately after the 1st TerminatorTag indicates that the non-indexed properties section is empty. Also updated the comment describing the shape of a serialized Array, and rebased a test. * LayoutTests/fast/storage/serialized-script-value.html: * Source/WebCore/bindings/js/SerializedScriptValue.cpp: (WebCore::CloneSerializer::serialize): (WebCore::CloneDeserializer::deserialize): Originally-landed-as: 267815.202@safari-7617-branch (401705903095). rdar://119592509 Canonical link: https://commits.webkit.org/272088@main Commit: 71fb0a3d44470a2bd8bcfe161c2e3ba71577f090 https://github.com/WebKit/WebKit/commit/71fb0a3d44470a2bd8bcfe161c2e3ba71577f090 Author: Nisha Jain <nisha_j...@apple.com> Date: 2023-12-14 (Thu, 14 Dec 2023) Changed paths: A LayoutTests/cssom/crash-font-family-invalid-expected.html A LayoutTests/cssom/crash-font-family-invalid.html M Source/WebCore/style/StyleBuilderCustom.h Log Message: ----------- jsc_fuz/wktr: segfault with .attributeStyleMap.set('font-family', new CSSKeywordValue('x')) https://bugs.webkit.org/show_bug.cgi?id=262487 rdar://115283280 Reviewed by Chris Dumez. Invalid CSS value for CSS "Font-family" property has to be handled by returning instead of causing ASSERT. Test: cssom/crash-font-family-invalid.html * Source/WebCore/style/StyleBuilderCustom.h: (BuilderCustom::applyValueFontFamily) : Replaced 'ASSERT' with 'return' while handling "Font-family" property. * LayoutTests/cssom/crash-font-family-invalid-expected.html: Added test case expected file. * LayoutTests/cssom/crash-font-family-invalid.html: Added test case. Originally-landed-as: 267815.169@safari-7617-branch (6834321e777d). rdar://119592492 Canonical link: https://commits.webkit.org/272089@main Commit: f97d0403a8c4581558a9fd80424f4c404f090f19 https://github.com/WebKit/WebKit/commit/f97d0403a8c4581558a9fd80424f4c404f090f19 Author: Alan Baradlay <za...@apple.com> Date: 2023-12-14 (Thu, 14 Dec 2023) Changed paths: A LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow-expected.txt A LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow.html M Source/WebCore/layout/formattingContexts/inline/InlineContentBreaker.cpp Log Message: ----------- [IFC] An opaque inline item should never be an overflowing run candidate https://bugs.webkit.org/show_bug.cgi?id=262341 <rdar://115867974> Reviewed by Simon Fraser. An opaque inline item (e.g. out-of-flow box) should never be considered as the _overflowing_ run. * LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow-expected.txt: Added. * LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow.html: Added. * Source/WebCore/layout/formattingContexts/inline/InlineContentBreaker.cpp: (WebCore::Layout::InlineContentBreaker::tryHyphenationAcrossOverflowingInlineTextItems const): (WebCore::Layout::InlineContentBreaker::processOverflowingContentWithText const): Originally-landed-as: 267815.121@safari-7617-branch (e5a35fa9d60b). rdar://119593365 Canonical link: https://commits.webkit.org/272090@main Commit: 409d5d995c040906e77e23376d2a61ceedb50206 https://github.com/WebKit/WebKit/commit/409d5d995c040906e77e23376d2a61ceedb50206 Author: Yusuke Suzuki <ysuz...@apple.com> Date: 2023-12-14 (Thu, 14 Dec 2023) Changed paths: M Source/JavaScriptCore/runtime/ArrayBufferView.h M Source/JavaScriptCore/runtime/DataView.cpp M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h M Source/JavaScriptCore/runtime/JSDataView.cpp M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h Log Message: ----------- [JSC] Add extra hardening about incorrectly configured shared growable typed array view https://bugs.webkit.org/show_bug.cgi?id=262338 rdar://116168654 Reviewed by Mark Lam. This is adding extra hardening against wrongly configured shared growable typed array view materialization from SerializedScriptValue. This pattern must not happen from normal execution. This happens only when the current process gets a bug which can emit arbitrary serialized data. And since SharedArrayBuffer cannot be sent to the other process, this issue is confined in the current process. Given that the attacker is already getting a way to create arbitrary serialized data, probably this does not add much additionally, but just adding hardening for now as an extra safety. * Source/JavaScriptCore/runtime/ArrayBufferView.h: (JSC::ArrayBufferView::verifySubRangeLength): * Source/JavaScriptCore/runtime/DataView.cpp: (JSC::DataView::wrappedAs): * Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView<Adaptor>::tryCreate): (JSC::GenericTypedArrayView<Adaptor>::wrappedAs): * Source/JavaScriptCore/runtime/JSDataView.cpp: (JSC::JSDataView::create): * Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::create): Originally-landed-as: 267815.120@safari-7617-branch (ac9f4e07603c). rdar://119594133 Canonical link: https://commits.webkit.org/272091@main Compare: https://github.com/WebKit/WebKit/compare/cb966fb5714c...409d5d995c04 _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes