Diff
Modified: branches/safari-601-branch/Source/_javascript_Core/ChangeLog (200867 => 200868)
--- branches/safari-601-branch/Source/_javascript_Core/ChangeLog 2016-05-13 18:45:25 UTC (rev 200867)
+++ branches/safari-601-branch/Source/_javascript_Core/ChangeLog 2016-05-13 18:45:50 UTC (rev 200868)
@@ -1,3 +1,36 @@
+2016-05-13 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r196240. rdar://problem/26271108
+
+ 2016-02-07 Filip Pizlo <fpi...@apple.com>
+
+ String.match should defend against matches that would crash the VM
+ https://bugs.webkit.org/show_bug.cgi?id=153964
+ rdar://problem/24301119
+
+ Reviewed by Saam Barati.
+
+ This fixes a crash in an internal test case.
+
+ * runtime/ArgList.cpp:
+ (JSC::MarkedArgumentBuffer::slowAppend): Use best practices to ensure that the size we
+ compute makes sense. Crash if it stops making sense, since most users of this API assume
+ that they are creating something small enough to fit on the stack.
+ * runtime/ArgList.h:
+ (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
+ (JSC::MarkedArgumentBuffer::size):
+ (JSC::MarkedArgumentBuffer::operator new): Deleted. These were ineffective. According to the
+ debugger, we were still calling system malloc. So, I changed the code to use fastMalloc()
+ directly.
+ (JSC::MarkedArgumentBuffer::operator delete): Deleted.
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncMatch): Explicitly defend against absurd sizes. Of course, it's still
+ possible to crash the VM on OOME. That's sort of always been the philosophy of JSC - we
+ don't guarantee that you'll get a nice-looking error whenever you run out of memory,
+ since in a GC'd environment you can't really guarantee those things. But, if you have a
+ match that obvious won't fit in memory, then reporting an error is useful in case this is
+ a developer experimenting with a buggy regexp.
+
2016-05-12 Babak Shafiei <bshaf...@apple.com>
Merge patch for r200387.
Modified: branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.cpp (200867 => 200868)
--- branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.cpp 2016-05-13 18:45:25 UTC (rev 200867)
+++ branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.cpp 2016-05-13 18:45:50 UTC (rev 200868)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009, 2016 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -53,13 +53,14 @@
void MarkedArgumentBuffer::slowAppend(JSValue v)
{
- int newCapacity = m_capacity * 4;
- EncodedJSValue* newBuffer = new EncodedJSValue[newCapacity];
+ int newCapacity = (Checked<int>(m_capacity) * 2).unsafeGet();
+ size_t size = (Checked<size_t>(newCapacity) * sizeof(EncodedJSValue)).unsafeGet();
+ EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(size));
for (int i = 0; i < m_capacity; ++i)
newBuffer[i] = m_buffer[i];
if (EncodedJSValue* base = mallocBase())
- delete [] base;
+ fastFree(base);
m_buffer = newBuffer;
m_capacity = newCapacity;
Modified: branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.h (200867 => 200868)
--- branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.h 2016-05-13 18:45:25 UTC (rev 200867)
+++ branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.h 2016-05-13 18:45:50 UTC (rev 200868)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2001 Harri Porten (por...@kde.org)
- * Copyright (C) 2003, 2007, 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2003, 2007, 2008, 2009, 2016 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -57,7 +57,7 @@
m_markSet->remove(this);
if (EncodedJSValue* base = mallocBase())
- delete [] base;
+ fastFree(base);
}
size_t size() const { return m_size; }
@@ -119,23 +119,6 @@
EncodedJSValue m_inlineBuffer[inlineCapacity];
EncodedJSValue* m_buffer;
ListSet* m_markSet;
-
-private:
- // Prohibits new / delete, which would break GC.
- void* operator new(size_t size)
- {
- return fastMalloc(size);
- }
- void operator delete(void* p)
- {
- fastFree(p);
- }
-
- void* operator new[](size_t);
- void operator delete[](void*);
-
- void* operator new(size_t, void*);
- void operator delete(void*, size_t);
};
class ArgList {
Modified: branches/safari-601-branch/Source/_javascript_Core/runtime/StringPrototype.cpp (200867 => 200868)
--- branches/safari-601-branch/Source/_javascript_Core/runtime/StringPrototype.cpp 2016-05-13 18:45:25 UTC (rev 200867)
+++ branches/safari-601-branch/Source/_javascript_Core/runtime/StringPrototype.cpp 2016-05-13 18:45:50 UTC (rev 200868)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2001 Harri Porten (por...@kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2013, 2016 Apple Inc. All rights reserved.
* Copyright (C) 2009 Torch Mobile, Inc.
* Copyright (C) 2015 Jordan Harband (ljh...@gmail.com)
*
@@ -981,6 +981,13 @@
// return array of matches
MarkedArgumentBuffer list;
while (result) {
+ // We defend ourselves from crazy.
+ const size_t maximumReasonableMatchSize = 1000000000;
+ if (list.size() > maximumReasonableMatchSize) {
+ throwOutOfMemoryError(exec);
+ return JSValue::encode(jsUndefined());
+ }
+
size_t end = result.end;
size_t length = end - result.start;
list.append(jsSubstring(exec, s, result.start, length));
