Title: [229748] branches/safari-605-branch/Source/_javascript_Core
- Revision
- 229748
- Author
- [email protected]
- Date
- 2018-03-20 08:21:06 -0700 (Tue, 20 Mar 2018)
Log Message
Cherry-pick r229366. rdar://problem/38651632
Modified Paths
Diff
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (229747 => 229748)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-03-20 15:21:02 UTC (rev 229747)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-03-20 15:21:06 UTC (rev 229748)
@@ -1,5 +1,21 @@
2018-03-20 Jason Marcell <[email protected]>
+ Cherry-pick r229366. rdar://problem/38651632
+
+ 2018-03-06 Filip Pizlo <[email protected]>
+
+ MarkedArgumentsBuffer should allocate from the JSValue Gigacage
+ https://bugs.webkit.org/show_bug.cgi?id=183377
+
+ Reviewed by Michael Saboff.
+
+ That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
+
+ * runtime/ArgList.cpp:
+ (JSC::MarkedArgumentBuffer::expandCapacity):
+
+2018-03-20 Jason Marcell <[email protected]>
+
Cherry-pick r229109. rdar://problem/38651610
2018-02-28 JF Bastien <[email protected]>
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/ArgList.cpp (229747 => 229748)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/ArgList.cpp 2018-03-20 15:21:02 UTC (rev 229747)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/ArgList.cpp 2018-03-20 15:21:06 UTC (rev 229748)
@@ -88,7 +88,7 @@
auto checkedSize = Checked<size_t, RecordOverflow>(newCapacity) * sizeof(EncodedJSValue);
if (UNLIKELY(checkedSize.hasOverflowed()))
return this->overflowed();
- EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(checkedSize.unsafeGet()));
+ EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::malloc(Gigacage::JSValue, checkedSize.unsafeGet()));
for (int i = 0; i < m_size; ++i) {
newBuffer[i] = m_buffer[i];
addMarkSet(JSValue::decode(m_buffer[i]));
@@ -95,7 +95,7 @@
}
if (EncodedJSValue* base = mallocBase())
- fastFree(base);
+ Gigacage::free(Gigacage::JSValue, base);
m_buffer = newBuffer;
m_capacity = newCapacity;
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/ArgList.h (229747 => 229748)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/ArgList.h 2018-03-20 15:21:02 UTC (rev 229747)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/ArgList.h 2018-03-20 15:21:06 UTC (rev 229748)
@@ -57,7 +57,7 @@
m_markSet->remove(this);
if (EncodedJSValue* base = mallocBase())
- fastFree(base);
+ Gigacage::free(Gigacage::JSValue, base);
}
size_t size() const { return m_size; }
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
