Title: [140575] trunk/Source/WebCore
- Revision
- 140575
- Author
- tse...@chromium.org
- Date
- 2013-01-23 12:51:48 -0800 (Wed, 23 Jan 2013)
Log Message
[chromium] harden ScriptWrappable::m_wrapper against tampering
https://bugs.webkit.org/show_bug.cgi?id=107318
Reviewed by Adam Barth.
Patch is correct if existing tests past without crashing.
* bindings/v8/ScriptWrappable.h:
(WebCore::ScriptWrappable::ScriptWrappable):
(WebCore::ScriptWrappable::wrapper):
(WebCore::ScriptWrappable::setWrapper):
(WebCore::ScriptWrappable::clearWrapper):
(WebCore::ScriptWrappable::disposeWrapper):
(WebCore::ScriptWrappable::reportMemoryUsage):
(ScriptWrappable):
(WebCore::ScriptWrappable::maskOrUnmaskPointer):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (140574 => 140575)
--- trunk/Source/WebCore/ChangeLog 2013-01-23 20:42:41 UTC (rev 140574)
+++ trunk/Source/WebCore/ChangeLog 2013-01-23 20:51:48 UTC (rev 140575)
@@ -1,3 +1,22 @@
+2013-01-23 Tom Sepez <tse...@chromium.org>
+
+ [chromium] harden ScriptWrappable::m_wrapper against tampering
+ https://bugs.webkit.org/show_bug.cgi?id=107318
+
+ Reviewed by Adam Barth.
+
+ Patch is correct if existing tests past without crashing.
+
+ * bindings/v8/ScriptWrappable.h:
+ (WebCore::ScriptWrappable::ScriptWrappable):
+ (WebCore::ScriptWrappable::wrapper):
+ (WebCore::ScriptWrappable::setWrapper):
+ (WebCore::ScriptWrappable::clearWrapper):
+ (WebCore::ScriptWrappable::disposeWrapper):
+ (WebCore::ScriptWrappable::reportMemoryUsage):
+ (ScriptWrappable):
+ (WebCore::ScriptWrappable::maskOrUnmaskPointer):
+
2013-01-22 Roger Fong <roger_f...@apple.com>
WebCore property sheets, modified build scripts, and project files for compiling in VS2010.
Modified: trunk/Source/WebCore/bindings/v8/ScriptWrappable.h (140574 => 140575)
--- trunk/Source/WebCore/bindings/v8/ScriptWrappable.h 2013-01-23 20:42:41 UTC (rev 140574)
+++ trunk/Source/WebCore/bindings/v8/ScriptWrappable.h 2013-01-23 20:51:48 UTC (rev 140575)
@@ -38,42 +38,47 @@
class ScriptWrappable {
public:
- ScriptWrappable()
- {
- }
+ ScriptWrappable() { }
v8::Persistent<v8::Object> wrapper() const
{
- return m_wrapper;
+ return v8::Persistent<v8::Object>(maskOrUnmaskPointer(*m_maskedWrapper));
}
void setWrapper(v8::Persistent<v8::Object> wrapper)
{
- ASSERT(!wrapper.IsEmpty());
- m_wrapper = wrapper;
+ m_maskedWrapper = maskOrUnmaskPointer(*wrapper);
}
void clearWrapper()
{
- ASSERT(!m_wrapper.IsEmpty());
- m_wrapper.Clear();
+ ASSERT(!m_maskedWrapper.IsEmpty());
+ m_maskedWrapper.Clear();
}
void disposeWrapper()
{
- ASSERT(!m_wrapper.IsEmpty());
- m_wrapper.Dispose();
- m_wrapper.Clear();
+ ASSERT(!m_maskedWrapper.IsEmpty());
+ m_maskedWrapper = wrapper();
+ m_maskedWrapper.Dispose();
+ m_maskedWrapper.Clear();
}
void reportMemoryUsage(MemoryObjectInfo* memoryObjectInfo) const
{
MemoryClassInfo info(memoryObjectInfo, this, WebCoreMemoryTypes::DOM);
- info.ignoreMember(m_wrapper);
+ info.ignoreMember(m_maskedWrapper);
}
private:
- v8::Persistent<v8::Object> m_wrapper;
+ v8::Persistent<v8::Object> m_maskedWrapper;
+
+ static inline v8::Object* maskOrUnmaskPointer(const v8::Object* object)
+ {
+ const uintptr_t objectPointer = reinterpret_cast<uintptr_t>(object);
+ const uintptr_t randomMask = ~(reinterpret_cast<uintptr_t>(&WebCoreMemoryTypes::DOM) >> 13); // Entropy via ASLR.
+ return reinterpret_cast<v8::Object*>((objectPointer ^ randomMask) & (!objectPointer - 1)); // Preserve null without branching.
+ }
};
} // namespace WebCore
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
