Title: [197292] releases/WebKitGTK/webkit-2.4/Source/_javascript_Core
- Revision
- 197292
- Author
- carlo...@webkit.org
- Date
- 2016-02-28 06:46:42 -0800 (Sun, 28 Feb 2016)
Log Message
Merge r178311 - Out of bounds read in IdentifierArena::makeIdentifier
https://bugs.webkit.org/show_bug.cgi?id=140376
Patch by Alexey Proskuryakov.
Reviewed and ChangeLogged by Geoffrey Garen.
No test, since this is a small past-the-end read, which is very
difficult to turn into a reproducible failing test -- and existing tests
crash reliably using ASan.
* parser/ParserArena.h:
(JSC::IdentifierArena::makeIdentifier):
(JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
zero-length string input, like we do in the literal parser, since it is
not valid to dereference characters in a zero-length string.
A zero-length string is allowed in _javascript_ -- for example, "".
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.4/Source/_javascript_Core/ChangeLog (197291 => 197292)
--- releases/WebKitGTK/webkit-2.4/Source/_javascript_Core/ChangeLog 2016-02-28 14:34:52 UTC (rev 197291)
+++ releases/WebKitGTK/webkit-2.4/Source/_javascript_Core/ChangeLog 2016-02-28 14:46:42 UTC (rev 197292)
@@ -1,3 +1,24 @@
+2015-01-12 Geoffrey Garen <gga...@apple.com>
+
+ Out of bounds read in IdentifierArena::makeIdentifier
+ https://bugs.webkit.org/show_bug.cgi?id=140376
+
+ Patch by Alexey Proskuryakov.
+
+ Reviewed and ChangeLogged by Geoffrey Garen.
+
+ No test, since this is a small past-the-end read, which is very
+ difficult to turn into a reproducible failing test -- and existing tests
+ crash reliably using ASan.
+
+ * parser/ParserArena.h:
+ (JSC::IdentifierArena::makeIdentifier):
+ (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
+ zero-length string input, like we do in the literal parser, since it is
+ not valid to dereference characters in a zero-length string.
+
+ A zero-length string is allowed in _javascript_ -- for example, "".
+
2015-04-24 Matthew Mirman <mmir...@apple.com>
Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined
Modified: releases/WebKitGTK/webkit-2.4/Source/_javascript_Core/parser/ParserArena.h (197291 => 197292)
--- releases/WebKitGTK/webkit-2.4/Source/_javascript_Core/parser/ParserArena.h 2016-02-28 14:34:52 UTC (rev 197291)
+++ releases/WebKitGTK/webkit-2.4/Source/_javascript_Core/parser/ParserArena.h 2016-02-28 14:46:42 UTC (rev 197292)
@@ -26,6 +26,7 @@
#ifndef ParserArena_h
#define ParserArena_h
+#include "CommonIdentifiers.h"
#include "Identifier.h"
#include <array>
#include <wtf/SegmentedVector.h>
@@ -72,6 +73,8 @@
template <typename T>
ALWAYS_INLINE const Identifier& IdentifierArena::makeIdentifier(VM* vm, const T* characters, size_t length)
{
+ if (!length)
+ return vm->propertyNames->emptyIdentifier;
if (characters[0] >= MaximumCachableCharacter) {
m_identifiers.append(Identifier(vm, characters, length));
return m_identifiers.last();
@@ -93,6 +96,8 @@
ALWAYS_INLINE const Identifier& IdentifierArena::makeIdentifierLCharFromUChar(VM* vm, const UChar* characters, size_t length)
{
+ if (!length)
+ return vm->propertyNames->emptyIdentifier;
if (characters[0] >= MaximumCachableCharacter) {
m_identifiers.append(Identifier::createLCharFromUChar(vm, characters, length));
return m_identifiers.last();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
