[webkit-changes] [WebKit/WebKit] c70297: [JSC] heap-buffer-overflow on WebKit/Source/JavaSc...

Tue, 07 Jan 2025 20:15:34 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c702978087bc0c1a34407bbeeeccc6cf1add3b76
      
https://github.com/WebKit/WebKit/commit/c702978087bc0c1a34407bbeeeccc6cf1add3b76
  Author: Yusuke Suzuki <ysuz...@apple.com>
  Date:   2025-01-07 (Tue, 07 Jan 2025)

  Changed paths:
    A JSTests/stress/array-fast-fill-beyond-length.js
    M Source/JavaScriptCore/runtime/JSArray.cpp

  Log Message:
  -----------
  [JSC] heap-buffer-overflow on 
WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:166:17
https://bugs.webkit.org/show_bug.cgi?id=285393
rdar://142369820

Reviewed by Mark Lam.

Obtaining length from Array can involve some user code, which can change
the array's length actually. The fast path should check the actual
length before filling.

* JSTests/stress/array-fast-fill-beyond-length.js: Added.
(f11):
* Source/JavaScriptCore/runtime/JSArray.cpp:
(JSC::JSArray::fastFill):

Canonical link: https://commits.webkit.org/288578@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to