[webkit-changes] [WebKit/WebKit] 4d2933: [JSC] Harden CustomGetterSetter by adding MethodTa...

Wed, 22 May 2024 15:43:16 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 4d29332a09b0f3b17eff2d44f464dd8dff77cad0
      
https://github.com/WebKit/WebKit/commit/4d29332a09b0f3b17eff2d44f464dd8dff77cad0
  Author: Alexey Shvayka <ashva...@apple.com>
  Date:   2024-05-22 (Wed, 22 May 2024)

  Changed paths:
    M Source/JavaScriptCore/runtime/CustomGetterSetter.h

  Log Message:
  -----------
  [JSC] Harden CustomGetterSetter by adding MethodTable overrides that always 
crash
https://bugs.webkit.org/show_bug.cgi?id=268897
<rdar://122171568>

Reviewed by Mark Lam.

Just like GetterSetter, CustomGetterSetter is never purposely exposed to 
userland code.
However, to make exploitation of accidentally exposed CustomGetterSetter 
objects difficult, this
patch implements MethodTable overrides that abort the program when reached, 
similar to GetterSetter.

* Source/JavaScriptCore/runtime/CustomGetterSetter.h:
(JSC::CustomGetterSetter::getOwnPropertySlot):
(JSC::CustomGetterSetter::put):
(JSC::CustomGetterSetter::putByIndex):
(JSC::CustomGetterSetter::setPrototype):
(JSC::CustomGetterSetter::defineOwnProperty):
(JSC::CustomGetterSetter::deleteProperty):

Originally-landed-as: 272448.523@safari-7618-branch (66d8614c41ca). 
rdar://128498125
Canonical link: https://commits.webkit.org/279156@main


  Commit: b287b6cc9662e88415c7958132ab001431b35f9f
      
https://github.com/WebKit/WebKit/commit/b287b6cc9662e88415c7958132ab001431b35f9f
  Author: Erica Li <ler...@apple.com>
  Date:   2024-05-22 (Wed, 22 May 2024)

  Changed paths:
    A 
LayoutTests/ipc/create-media-source-with-invalid-constraints-crash-expected.txt
    A LayoutTests/ipc/create-media-source-with-invalid-constraints-crash.html
    M Source/WebCore/platform/mediastream/MediaConstraints.cpp
    M Source/WebCore/platform/mediastream/MediaConstraints.h
    M Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp

  Log Message:
  -----------
  WTFCrashWithSecurityImplication in 
WebCore::RealtimeMediaSource::fitnessDistance
https://bugs.webkit.org/show_bug.cgi?id=268800
rdar://122105977

Reviewed by Youenn Fablet.

This is short-term suggested fix to add isValid check to 
MediaTrackConstraintSetMap to ensure each incomming contraint from IPC call has 
the right MediaConstraintType.

* 
LayoutTests/ipc/create-media-source-with-invalid-constraints-crash-expected.txt:
 Added.
* LayoutTests/ipc/create-media-source-with-invalid-constraints-crash.html: 
Added.
* Source/WebCore/platform/mediastream/MediaConstraints.cpp:
(WebCore::MediaTrackConstraintSetMap::isValid const):
* Source/WebCore/platform/mediastream/MediaConstraints.h:
* Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp:
(WebKit::UserMediaCaptureManagerProxy::createMediaSourceForCaptureDeviceWithConstraints):
(WebKit::UserMediaCaptureManagerProxy::applyConstraints):

Originally-landed-as: 272448.542@safari-7618-branch (01389d47b6ec). 
rdar://128498600
Canonical link: https://commits.webkit.org/279157@main


Compare: https://github.com/WebKit/WebKit/compare/223c3b4280f0...b287b6cc9662

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to