Title: [124442] trunk/Source/WebCore
- Revision
- 124442
- Author
- [email protected]
- Date
- 2012-08-02 05:26:13 -0700 (Thu, 02 Aug 2012)
Log Message
[Qt] Uninitialized memory read in QObject runtime bridge
https://bugs.webkit.org/show_bug.cgi?id=92972
Patch by Simon Hausmann <[email protected]> on 2012-08-02
Reviewed by Kenneth Rohde Christiansen.
The vargs array has an initial size of 0 and when calling a method with no return value
and no arguments, vargs remains empty. Therefore unconditional access to vargs[0] results
in access to uninitialized memory.
No new tests, covered by valgrind in existing qobjectbridge tests.
* bridge/qt/qt_runtime.cpp:
(JSC::Bindings::QtRuntimeMetaMethod::call):
* bridge/qt/qt_runtime_qt4.cpp:
(JSC::Bindings::QtRuntimeMetaMethod::call):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (124441 => 124442)
--- trunk/Source/WebCore/ChangeLog 2012-08-02 12:03:13 UTC (rev 124441)
+++ trunk/Source/WebCore/ChangeLog 2012-08-02 12:26:13 UTC (rev 124442)
@@ -1,3 +1,21 @@
+2012-08-02 Simon Hausmann <[email protected]>
+
+ [Qt] Uninitialized memory read in QObject runtime bridge
+ https://bugs.webkit.org/show_bug.cgi?id=92972
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ The vargs array has an initial size of 0 and when calling a method with no return value
+ and no arguments, vargs remains empty. Therefore unconditional access to vargs[0] results
+ in access to uninitialized memory.
+
+ No new tests, covered by valgrind in existing qobjectbridge tests.
+
+ * bridge/qt/qt_runtime.cpp:
+ (JSC::Bindings::QtRuntimeMetaMethod::call):
+ * bridge/qt/qt_runtime_qt4.cpp:
+ (JSC::Bindings::QtRuntimeMetaMethod::call):
+
2012-08-02 Zoltan Herczeg <[email protected]>
Alignment issue for readTime in PluginDatabase.cpp
Modified: trunk/Source/WebCore/bridge/qt/qt_runtime.cpp (124441 => 124442)
--- trunk/Source/WebCore/bridge/qt/qt_runtime.cpp 2012-08-02 12:03:13 UTC (rev 124441)
+++ trunk/Source/WebCore/bridge/qt/qt_runtime.cpp 2012-08-02 12:26:13 UTC (rev 124442)
@@ -1433,7 +1433,7 @@
if (QMetaObject::metacall(obj, QMetaObject::InvokeMetaMethod, methodIndex, qargs) >= 0)
return JSValue::encode(jsUndefined());
- if (vargs[0].isValid())
+ if (vargs.size() > 0 && vargs[0].isValid())
return JSValue::encode(convertQVariantToValue(exec, d->m_instance->rootObject(), vargs[0]));
}
Modified: trunk/Source/WebCore/bridge/qt/qt_runtime_qt4.cpp (124441 => 124442)
--- trunk/Source/WebCore/bridge/qt/qt_runtime_qt4.cpp 2012-08-02 12:03:13 UTC (rev 124441)
+++ trunk/Source/WebCore/bridge/qt/qt_runtime_qt4.cpp 2012-08-02 12:26:13 UTC (rev 124442)
@@ -1442,7 +1442,7 @@
if (QMetaObject::metacall(obj, QMetaObject::InvokeMetaMethod, methodIndex, qargs) >= 0)
return JSValue::encode(jsUndefined());
- if (vargs[0].isValid())
+ if (vargs.size() > 0 && vargs[0].isValid())
return JSValue::encode(convertQVariantToValue(exec, d->m_instance->rootObject(), vargs[0]));
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
