On Wed, Nov 14, 2012 at 8:52 PM, Elliott Sprehn <[email protected]>wrote:
> I was present for one of the discussions about the exploit and how an > arena like allocator could have helped at Google. One proposed solution was > to allocate all the JS typed buffers in an arena. > > Is there a reason we can't just do that? It's much less intrusive to > allocate ArrayBuffer in an arena than to allocate all DOM objects in one. > I don’t think allocating all JS objects in an arena is good enough because attackers can inject nearly arbitrary sequence of bytes into DOM objects (e.g. text node). - R. Niwa
_______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo/webkit-dev
