Title: [179306] branches/safari-600.5-branch/Source/_javascript_Core
- Revision
- 179306
- Author
- [email protected]
- Date
- 2015-01-28 14:52:19 -0800 (Wed, 28 Jan 2015)
Log Message
Merge r178311. rdar://problem/19617780
Modified Paths
Diff
Modified: branches/safari-600.5-branch/Source/_javascript_Core/ChangeLog (179305 => 179306)
--- branches/safari-600.5-branch/Source/_javascript_Core/ChangeLog 2015-01-28 22:52:17 UTC (rev 179305)
+++ branches/safari-600.5-branch/Source/_javascript_Core/ChangeLog 2015-01-28 22:52:19 UTC (rev 179306)
@@ -1,3 +1,28 @@
+2015-01-28 Matthew <[email protected]>
+
+ Merge r178311. rdar://problem/19617780
+
+ 2015-01-12 Geoffrey Garen <[email protected]>
+
+ Out of bounds read in IdentifierArena::makeIdentifier
+ https://bugs.webkit.org/show_bug.cgi?id=140376
+
+ Patch by Alexey Proskuryakov.
+
+ Reviewed and ChangeLogged by Geoffrey Garen.
+
+ No test, since this is a small past-the-end read, which is very
+ difficult to turn into a reproducible failing test -- and existing tests
+ crash reliably using ASan.
+
+ * parser/ParserArena.h:
+ (JSC::IdentifierArena::makeIdentifier):
+ (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
+ zero-length string input, like we do in the literal parser, since it is
+ not valid to dereference characters in a zero-length string.
+
+ A zero-length string is allowed in _javascript_ -- for example, "".
+
2015-01-22 Matthew Hanson <[email protected]>
Merge r174708. rdar://problem/19451256
Modified: branches/safari-600.5-branch/Source/_javascript_Core/parser/ParserArena.h (179305 => 179306)
--- branches/safari-600.5-branch/Source/_javascript_Core/parser/ParserArena.h 2015-01-28 22:52:17 UTC (rev 179305)
+++ branches/safari-600.5-branch/Source/_javascript_Core/parser/ParserArena.h 2015-01-28 22:52:19 UTC (rev 179306)
@@ -26,6 +26,7 @@
#ifndef ParserArena_h
#define ParserArena_h
+#include "CommonIdentifiers.h"
#include "Identifier.h"
#include <array>
#include <wtf/SegmentedVector.h>
@@ -72,6 +73,8 @@
template <typename T>
ALWAYS_INLINE const Identifier& IdentifierArena::makeIdentifier(VM* vm, const T* characters, size_t length)
{
+ if (!length)
+ return vm->propertyNames->emptyIdentifier;
if (characters[0] >= MaximumCachableCharacter) {
m_identifiers.append(Identifier(vm, characters, length));
return m_identifiers.last();
@@ -93,6 +96,8 @@
ALWAYS_INLINE const Identifier& IdentifierArena::makeIdentifierLCharFromUChar(VM* vm, const UChar* characters, size_t length)
{
+ if (!length)
+ return vm->propertyNames->emptyIdentifier;
if (characters[0] >= MaximumCachableCharacter) {
m_identifiers.append(Identifier::createLCharFromUChar(vm, characters, length));
return m_identifiers.last();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
