Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5099a4a8958e34dcde686fff07ce4f2487d01e96
https://github.com/WebKit/WebKit/commit/5099a4a8958e34dcde686fff07ce4f2487d01e96
Author: Kai Tamkun <[email protected]>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
M Source/JavaScriptCore/runtime/ClonedArguments.cpp
Log Message:
-----------
[JSC] Incorrect loop condition in ClonedArguments::copyToArguments with
non-zero offset
https://bugs.webkit.org/show_bug.cgi?id=309185
rdar://171157543
Reviewed by Yusuke Suzuki.
This patch fixes an incorrect loop condition in
ClonedArguments::copyToArguments.
No tests are added because it appears there is no possible path to call
ClonedArguments::copyToArguments with a nonzero offset. None of the tests under
JSTests call copyToArguments with a nonzero offset at any point and various
attempts to create a PoC that does so through op_call_varargs proved
unsuccessful.
* Source/JavaScriptCore/runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::copyToArguments):
Originally-landed-as: 305413.436@rapid/safari-7624.2.5.110-branch
(14747bdb368d). rdar://176067094
Canonical link: https://commits.webkit.org/313928@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
