Title: [144106] branches/chromium/1364/Source/WebCore/rendering/RenderArena.cpp
- Revision
- 144106
- Author
- jsc...@chromium.org
- Date
- 2013-02-26 14:13:51 -0800 (Tue, 26 Feb 2013)
Log Message
Merge 143811
BUG=webkit.org/b/110394
TBR=jsc...@chromium.org
Review URL: https://codereview.chromium.org/12334103
Modified Paths
Diff
Modified: branches/chromium/1364/Source/WebCore/rendering/RenderArena.cpp (144105 => 144106)
--- branches/chromium/1364/Source/WebCore/rendering/RenderArena.cpp 2013-02-26 22:00:08 UTC (rev 144105)
+++ branches/chromium/1364/Source/WebCore/rendering/RenderArena.cpp 2013-02-26 22:13:51 UTC (rev 144106)
@@ -36,9 +36,11 @@
#include "config.h"
#include "RenderArena.h"
+#include <limits>
#include <stdlib.h>
#include <string.h>
#include <wtf/Assertions.h>
+#include <wtf/CryptographicallyRandomNumber.h>
#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
@@ -89,10 +91,8 @@
// should immediately crash on the first invalid vtable access for a stale
// RenderObject pointer.
// See http://download.crowdstrike.com/papers/hes-exploiting-a-coalmine.pdf.
-
- // The bottom bits are predictable because the binary is loaded on a
- // boundary. This just shifts most of those predictable bits out.
- m_mask = ~(reinterpret_cast<uintptr_t>(WTF::fastMalloc) >> 13);
+ WTF::cryptographicallyRandomValues(&m_mask, sizeof(m_mask));
+ m_mask |= (static_cast<uintptr_t>(3) << (std::numeric_limits<uintptr_t>::digits - 2)) | 1;
}
RenderArena::~RenderArena()
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes