WebKit Bugzilla
Attachment 361878 Details for
Bug 194575
: generateUnlinkedCodeBlockForFunctions has a UAF
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
a-backup.diff (text/plain), 2.03 KB, created by
Saam Barati
on 2019-02-12 17:56:35 PST
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2019-02-12 17:56:35 PST
Size:
2.03 KB
patch
obsolete
>Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 241334) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,16 @@ >+2019-02-12 Saam barati <sbarati@apple.com> >+ >+ generateUnlinkedCodeBlockForFunctions has a UAF >+ https://bugs.webkit.org/show_bug.cgi?id=194575 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ We were using a FunctionExecutable's SourceCode without ensuring >+ we kept the FunctionExecutable alive. >+ >+ * runtime/CodeCache.cpp: >+ (JSC::generateUnlinkedCodeBlockForFunctions): >+ > 2019-02-12 Michael Catanzaro <mcatanzaro@igalia.com> > > Unreviewed, fix -Wimplicit-fallthrough warning after r241140 >Index: Source/JavaScriptCore/runtime/CodeCache.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/CodeCache.cpp (revision 241334) >+++ Source/JavaScriptCore/runtime/CodeCache.cpp (working copy) >@@ -169,11 +169,14 @@ void generateUnlinkedCodeBlockForFunctio > if (constructorKind == CodeForConstruct && SourceParseModeSet(SourceParseMode::AsyncArrowFunctionMode, SourceParseMode::AsyncMethodMode, SourceParseMode::AsyncFunctionMode).contains(unlinkedExecutable->parseMode())) > return; > >+ // FIXME: We shouldn't need to make a FunctionExecutable* just to get its SourceCode: >+ // https://bugs.webkit.org/show_bug.cgi?id=194576 > FunctionExecutable* executable = unlinkedExecutable->link(vm, parentSource); > const SourceCode& source = executable->source(); > UnlinkedFunctionCodeBlock* unlinkedFunctionCodeBlock = unlinkedExecutable->unlinkedCodeBlockFor(vm, source, constructorKind, debuggerMode, error, unlinkedExecutable->parseMode()); > if (unlinkedFunctionCodeBlock) > generateUnlinkedCodeBlockForFunctions(vm, unlinkedFunctionCodeBlock, source, debuggerMode, error); >+ executable->use(); > }; > > // FIXME: We should also generate CodeBlocks for CodeForConstruct
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=361878">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194575
: 361878