Title: [115107] branches/safari-534.57-branch/Source/_javascript_Core
- Revision
- 115107
- Author
- [email protected]
- Date
- 2012-04-24 14:13:21 -0700 (Tue, 24 Apr 2012)
Log Message
Merge fix for radar 11310337.
Modified Paths
Diff
Modified: branches/safari-534.57-branch/Source/_javascript_Core/ChangeLog (115106 => 115107)
--- branches/safari-534.57-branch/Source/_javascript_Core/ChangeLog 2012-04-24 21:10:54 UTC (rev 115106)
+++ branches/safari-534.57-branch/Source/_javascript_Core/ChangeLog 2012-04-24 21:13:21 UTC (rev 115107)
@@ -1,3 +1,22 @@
+2012-04-24 Lucas Forschler <[email protected]>
+
+ Merge patch for <rdar://problem/11310337>
+
+ 2012-01-06 Gavin Barraclough <[email protected]>
+
+ <rdar://problem/10655942> ZDI-CAN-1484: _javascript_Core integer overflow in JSArray storageSize with manually set array length
+
+ Reviewed by Sam Weinig.
+
+ Added CRASHing guards againt numeric overflows.
+
+ * runtime/JSArray.cpp:
+ (JSC::storageSize):
+ (JSC::JSArray::putSlowCase):
+ (JSC::JSArray::increaseVectorLength):
+ (JSC::JSArray::increaseVectorPrefixLength):
+ (JSC::JSArray::unshiftCount):
+
2012-04-17 Lucas Forschler <[email protected]>
Merge 107647
Modified: branches/safari-534.57-branch/Source/_javascript_Core/runtime/JSArray.cpp (115106 => 115107)
--- branches/safari-534.57-branch/Source/_javascript_Core/runtime/JSArray.cpp 2012-04-24 21:10:54 UTC (rev 115106)
+++ branches/safari-534.57-branch/Source/_javascript_Core/runtime/JSArray.cpp 2012-04-24 21:13:21 UTC (rev 115107)
@@ -101,7 +101,8 @@
static inline size_t storageSize(unsigned vectorLength)
{
- ASSERT(vectorLength <= MAX_STORAGE_VECTOR_LENGTH);
+ if (vectorLength > MAX_STORAGE_VECTOR_LENGTH)
+ CRASH();
// MAX_STORAGE_VECTOR_LENGTH is defined such that provided (vectorLength <= MAX_STORAGE_VECTOR_LENGTH)
// - as asserted above - the following calculation cannot overflow.
@@ -489,8 +490,9 @@
}
void* baseStorage = storage->m_allocBase;
-
- if (!tryFastRealloc(baseStorage, storageSize(newVectorLength + m_indexBias)).getValue(baseStorage)) {
+
+ if ((unsigned)m_indexBias > (MAX_STORAGE_VECTOR_LENGTH - newVectorLength)
+ || !tryFastRealloc(baseStorage, storageSize(newVectorLength + m_indexBias)).getValue(baseStorage)) {
throwOutOfMemoryError(exec);
return;
}
@@ -646,7 +648,8 @@
unsigned newVectorLength = getNewVectorLength(newLength);
void* baseStorage = storage->m_allocBase;
- if (!tryFastRealloc(baseStorage, storageSize(newVectorLength + m_indexBias)).getValue(baseStorage))
+ if ((unsigned)m_indexBias > (MAX_STORAGE_VECTOR_LENGTH - newVectorLength)
+ || !tryFastRealloc(baseStorage, storageSize(newVectorLength + m_indexBias)).getValue(baseStorage))
return false;
storage = m_storage = reinterpret_cast_ptr<ArrayStorage*>(static_cast<char*>(baseStorage) + m_indexBias * sizeof(JSValue));
@@ -675,6 +678,8 @@
ASSERT(newLength <= MAX_STORAGE_VECTOR_INDEX);
unsigned newVectorLength = getNewVectorLength(newLength);
+ if ((unsigned)m_indexBias > (MAX_STORAGE_VECTOR_LENGTH - newVectorLength))
+ return false;
void* newBaseStorage = fastMalloc(storageSize(newVectorLength + m_indexBias));
if (!newBaseStorage)
return false;
@@ -908,7 +913,8 @@
memmove(newBaseStorage, storage, storageSize(0));
m_storage = reinterpret_cast_ptr<ArrayStorage*>(newBaseStorage);
m_vectorLength += count;
- } else if (!increaseVectorPrefixLength(m_vectorLength + count)) {
+ } else if ((unsigned)count > (MAX_STORAGE_VECTOR_LENGTH - m_vectorLength)
+ || !increaseVectorPrefixLength(m_vectorLength + count)) {
throwOutOfMemoryError(exec);
return;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
