WebKit Bugzilla
Attachment 347485 Details for
Bug 188740
: [JSC] HeapUtil should care about pointer overflow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-188740-20180820165510.patch (text/plain), 1.97 KB, created by
Yusuke Suzuki
on 2018-08-20 00:55:11 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2018-08-20 00:55:11 PDT
Size:
1.97 KB
patch
obsolete
>Subversion Revision: 235024 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 8f4f3380b9d68081f14b45a5cc53d3b70983ff91..6d54dc0b1063a25de93c98d41d9c21836173797e 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,17 @@ >+2018-08-20 Yusuke Suzuki <yusukesuzuki@slowstart.org> >+ >+ [JSC] HeapUtil should care pointer overflow >+ https://bugs.webkit.org/show_bug.cgi?id=188740 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer is overflow. >+ For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this >+ with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan. >+ >+ * heap/HeapUtil.h: >+ (JSC::HeapUtil::findGCObjectPointersForMarking): >+ > 2018-08-19 Carlos Garcia Campos <cgarcia@igalia.com> > > [GLIB] Add API to throw exceptions using printf formatted strings >diff --git a/Source/JavaScriptCore/heap/HeapUtil.h b/Source/JavaScriptCore/heap/HeapUtil.h >index 9ef03ea6fcd987d4a98fc7eb19444d1085cc0d05..f94df03c1beed1850a8a3f1e90b6ec80f927a2ed 100644 >--- a/Source/JavaScriptCore/heap/HeapUtil.h >+++ b/Source/JavaScriptCore/heap/HeapUtil.h >@@ -84,7 +84,7 @@ class HeapUtil { > // It's possible for a butterfly pointer to point past the end of a butterfly. Check this now. > if (pointer <= bitwise_cast<char*>(candidate) + sizeof(IndexingHeader)) { > // We may be interested in the last cell of the previous MarkedBlock. >- char* previousPointer = pointer - sizeof(IndexingHeader) - 1; >+ char* previousPointer = bitwise_cast<char*>(bitwise_cast<uintptr_t>(pointer) - sizeof(IndexingHeader) - 1); > MarkedBlock* previousCandidate = MarkedBlock::blockFor(previousPointer); > if (!filter.ruleOut(bitwise_cast<Bits>(previousCandidate)) > && set.contains(previousCandidate)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=347485">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
saam
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 188740
: 347485