Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: aac4cb050d4e9641f427de285f145034c317456f
https://github.com/WebKit/WebKit/commit/aac4cb050d4e9641f427de285f145034c317456f
Author: Mark Lam <[email protected]>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M Source/JavaScriptCore/assembler/AssemblerBuffer.h
M Source/WTF/wtf/PtrTag.h
Log Message:
-----------
ARM64EHash should be using the PAC DA key instead of DB.
https://bugs.webkit.org/show_bug.cgi?id=262938
rdar://116679398
Reviewed by Justin Michaud.
Currently, it uses the PAC DB key. However, the PAC DB key is already used by
for the
PACCage for protecting TypedArray vector pointers. Using the PAC DA key
instead would
ensure that there is no collision between the "namespace"s of PACCage pointers
and
ARM64EHash intermediate values.
* Source/JavaScriptCore/assembler/AssemblerBuffer.h:
(JSC::ARM64EHash::nextValue):
(JSC::ARM64EHash::currentHash):
(JSC::ARM64EHash::setUpdatedHash):
* Source/WTF/wtf/PtrTag.h:
(WTF::untagInt):
(WTF::tagInt):
Originally-landed-as: 267815.228@safari-7617-branch (4eda4ebd52c1).
rdar://119592222
Canonical link: https://commits.webkit.org/272087@main
Commit: 3a900e192fe7c22dccc007fde344d3a373476175
https://github.com/WebKit/WebKit/commit/3a900e192fe7c22dccc007fde344d3a373476175
Author: Mark Lam <[email protected]>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M LayoutTests/fast/storage/serialized-script-value.html
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
An Array index in CloneSerializer and CloneDeserializer can be confused for
NonIndexPropertiesTag.
https://bugs.webkit.org/show_bug.cgi?id=262616
rdar://116034413
Reviewed by Keith Miller, Sihui Liu and Chris Dumez.
CloneSerializer and CloneDeserializer were previously using
NonIndexPropertiesTag as the terminator of
the indexed property section of an Array. However, NonIndexPropertiesTag's
encoding is 0xFFFFFFFD,
which is less than MAX_ARRAY_INDEX (0xFFFFFFFE) i.e. an index of 0xFFFFFFFD can
be confused for the
NonIndexPropertiesTag, resulting type confusion.
This patch changes the structure of a serialized Array to always terminate its
indexed property section
with a TerminatorTag (0xFFFFFFFF) first before looking for either a
NonIndexPropertiesTag or another
TerminatorTag. The presence of a NonIndexPropertiesTag after the 1st
TerminatorTag indicates the
presence of a non-indexed properties section. The presense of a TerminatorTag
immediately after the
1st TerminatorTag indicates that the non-indexed properties section is empty.
Also updated the comment describing the shape of a serialized Array, and
rebased a test.
* LayoutTests/fast/storage/serialized-script-value.html:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::deserialize):
Originally-landed-as: 267815.202@safari-7617-branch (401705903095).
rdar://119592509
Canonical link: https://commits.webkit.org/272088@main
Commit: 71fb0a3d44470a2bd8bcfe161c2e3ba71577f090
https://github.com/WebKit/WebKit/commit/71fb0a3d44470a2bd8bcfe161c2e3ba71577f090
Author: Nisha Jain <[email protected]>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
A LayoutTests/cssom/crash-font-family-invalid-expected.html
A LayoutTests/cssom/crash-font-family-invalid.html
M Source/WebCore/style/StyleBuilderCustom.h
Log Message:
-----------
jsc_fuz/wktr: segfault with .attributeStyleMap.set('font-family', new
CSSKeywordValue('x'))
https://bugs.webkit.org/show_bug.cgi?id=262487
rdar://115283280
Reviewed by Chris Dumez.
Invalid CSS value for CSS "Font-family" property has to be handled by returning
instead of causing ASSERT.
Test: cssom/crash-font-family-invalid.html
* Source/WebCore/style/StyleBuilderCustom.h:
(BuilderCustom::applyValueFontFamily) : Replaced 'ASSERT' with 'return' while
handling "Font-family" property.
* LayoutTests/cssom/crash-font-family-invalid-expected.html: Added test case
expected file.
* LayoutTests/cssom/crash-font-family-invalid.html: Added test case.
Originally-landed-as: 267815.169@safari-7617-branch (6834321e777d).
rdar://119592492
Canonical link: https://commits.webkit.org/272089@main
Commit: f97d0403a8c4581558a9fd80424f4c404f090f19
https://github.com/WebKit/WebKit/commit/f97d0403a8c4581558a9fd80424f4c404f090f19
Author: Alan Baradlay <[email protected]>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
A LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow-expected.txt
A LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow.html
M Source/WebCore/layout/formattingContexts/inline/InlineContentBreaker.cpp
Log Message:
-----------
[IFC] An opaque inline item should never be an overflowing run candidate
https://bugs.webkit.org/show_bug.cgi?id=262341
<rdar://115867974>
Reviewed by Simon Fraser.
An opaque inline item (e.g. out-of-flow box) should never be considered as the
_overflowing_ run.
* LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow-expected.txt: Added.
* LayoutTests/fast/text/hyphen-with-overflowing-out-of-flow.html: Added.
* Source/WebCore/layout/formattingContexts/inline/InlineContentBreaker.cpp:
(WebCore::Layout::InlineContentBreaker::tryHyphenationAcrossOverflowingInlineTextItems
const):
(WebCore::Layout::InlineContentBreaker::processOverflowingContentWithText
const):
Originally-landed-as: 267815.121@safari-7617-branch (e5a35fa9d60b).
rdar://119593365
Canonical link: https://commits.webkit.org/272090@main
Commit: 409d5d995c040906e77e23376d2a61ceedb50206
https://github.com/WebKit/WebKit/commit/409d5d995c040906e77e23376d2a61ceedb50206
Author: Yusuke Suzuki <[email protected]>
Date: 2023-12-14 (Thu, 14 Dec 2023)
Changed paths:
M Source/JavaScriptCore/runtime/ArrayBufferView.h
M Source/JavaScriptCore/runtime/DataView.cpp
M Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSDataView.cpp
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
Log Message:
-----------
[JSC] Add extra hardening about incorrectly configured shared growable typed
array view
https://bugs.webkit.org/show_bug.cgi?id=262338
rdar://116168654
Reviewed by Mark Lam.
This is adding extra hardening against wrongly configured shared growable typed
array view materialization from SerializedScriptValue.
This pattern must not happen from normal execution. This happens only when the
current process gets a bug which can emit arbitrary serialized
data. And since SharedArrayBuffer cannot be sent to the other process, this
issue is confined in the current process. Given that the attacker
is already getting a way to create arbitrary serialized data, probably this
does not add much additionally, but just adding hardening for now
as an extra safety.
* Source/JavaScriptCore/runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::verifySubRangeLength):
* Source/JavaScriptCore/runtime/DataView.cpp:
(JSC::DataView::wrappedAs):
* Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::tryCreate):
(JSC::GenericTypedArrayView<Adaptor>::wrappedAs):
* Source/JavaScriptCore/runtime/JSDataView.cpp:
(JSC::JSDataView::create):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
Originally-landed-as: 267815.120@safari-7617-branch (ac9f4e07603c).
rdar://119594133
Canonical link: https://commits.webkit.org/272091@main
Compare: https://github.com/WebKit/WebKit/compare/cb966fb5714c...409d5d995c04
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
