Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9cee5daeabd138d039806770b90907a6fff97cc3
https://github.com/WebKit/WebKit/commit/9cee5daeabd138d039806770b90907a6fff97cc3
Author: Daniel Liu <daniel_l...@apple.com>
Date: 2025-01-31 (Fri, 31 Jan 2025)
Changed paths:
A JSTests/wasm/stress/array-init-data-bounds.js
M Source/JavaScriptCore/wasm/WasmOperationsInlines.h
Log Message:
-----------
Update incorrect bounds check in arrayInitData that could lead to overflow
https://bugs.webkit.org/show_bug.cgi?id=284332
rdar://140773517
Reviewed by Yusuke Suzuki.
arrayInitData's operation currently checks that the source index plus the size
has not overflowed. However, size is the number of array elements, meaning that
size * elementSize could potentially overflow later on.
* Source/JavaScriptCore/wasm/WasmOperationsInlines.h:
(JSC::Wasm::arrayInitData):
Originally-landed-as: 283286.574@safari-7620-branch (8fbbb5e792fb).
rdar://143593161
Canonical link: https://commits.webkit.org/289656@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
