Title: [201772] trunk/Source/bmalloc
- Revision
- 201772
- Author
- bfulg...@apple.com
- Date
- 2016-06-07 14:09:59 -0700 (Tue, 07 Jun 2016)
Log Message
Prevents integer overflow in Vector.h
https://bugs.webkit.org/show_bug.cgi?id=158455
<rdar://problem/20235469>
Patch by Pranjal Jumde <pju...@apple.com> on 2016-06-07
Reviewed by Mark Lam.
* bmalloc/Vector.h:
(bmalloc::Vector<T>::reallocateBuffer):
Modified Paths
Diff
Modified: trunk/Source/bmalloc/ChangeLog (201771 => 201772)
--- trunk/Source/bmalloc/ChangeLog 2016-06-07 20:46:38 UTC (rev 201771)
+++ trunk/Source/bmalloc/ChangeLog 2016-06-07 21:09:59 UTC (rev 201772)
@@ -1,3 +1,14 @@
+2016-06-07 Pranjal Jumde <pju...@apple.com>
+
+ Prevents integer overflow in Vector.h
+ https://bugs.webkit.org/show_bug.cgi?id=158455
+ <rdar://problem/20235469>
+
+ Reviewed by Mark Lam.
+
+ * bmalloc/Vector.h:
+ (bmalloc::Vector<T>::reallocateBuffer):
+
2016-05-27 Konstantin Tokarev <annu...@yandex.ru>
[cmake] Deduplicated bmalloc/Zone.cpp handling.
Modified: trunk/Source/bmalloc/bmalloc/Vector.h (201771 => 201772)
--- trunk/Source/bmalloc/bmalloc/Vector.h 2016-06-07 20:46:38 UTC (rev 201771)
+++ trunk/Source/bmalloc/bmalloc/Vector.h 2016-06-07 21:09:59 UTC (rev 201772)
@@ -198,6 +198,8 @@
template<typename T>
void Vector<T>::reallocateBuffer(size_t newCapacity)
{
+ RELEASE_BASSERT(newCapacity < std::numeric_limits<size_t>::max() / sizeof(T));
+
size_t vmSize = bmalloc::vmSize(newCapacity * sizeof(T));
T* newBuffer = vmSize ? static_cast<T*>(vmAllocate(vmSize)) : nullptr;
if (m_buffer) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
