WebKit Bugzilla
Attachment 370377 Details for
Bug 198101
: [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198101-20190521204557.patch (text/plain), 2.36 KB, created by
Yusuke Suzuki
on 2019-05-21 20:45:58 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2019-05-21 20:45:58 PDT
Size:
2.36 KB
patch
obsolete
>Subversion Revision: 245589 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index ae0f6eb29125bb121054b2d375ca9f0cbf61f026..b6a886a34222bca00eb5226632e73adc0be1f9a8 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,13 @@ >+2019-05-21 Yusuke Suzuki <ysuzuki@apple.com> >+ >+ [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes >+ https://bugs.webkit.org/show_bug.cgi?id=198101 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * runtime/ArrayBuffer.cpp: >+ (JSC::ArrayBufferContents::tryAllocate): >+ > 2019-05-21 Keith Miller <keith_miller@apple.com> > > Unreviewed build fix add UNUSED_PARAM. >diff --git a/Source/JavaScriptCore/runtime/ArrayBuffer.cpp b/Source/JavaScriptCore/runtime/ArrayBuffer.cpp >index b16ec38f65b397da293c8ff7deecce4c1161a67e..671bdb77132fa69f1e14f75d3bd766bb614c8a6a 100644 >--- a/Source/JavaScriptCore/runtime/ArrayBuffer.cpp >+++ b/Source/JavaScriptCore/runtime/ArrayBuffer.cpp >@@ -106,21 +106,22 @@ void ArrayBufferContents::tryAllocate(unsigned numElements, unsigned elementByte > return; > } > } >- size_t size = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize); >- if (!size) >- size = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered. >+ size_t sizeInBytes = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize); >+ size_t allocationSize = sizeInBytes; >+ if (!allocationSize) >+ allocationSize = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered. > >- void* data = Gigacage::tryMalloc(Gigacage::Primitive, numElements * elementByteSize); >- m_data = DataType(data, size); >+ void* data = Gigacage::tryMalloc(Gigacage::Primitive, allocationSize); >+ m_data = DataType(data, sizeInBytes); > if (!data) { > reset(); > return; > } > > if (policy == ZeroInitialize) >- memset(data, 0, size); >+ memset(data, 0, allocationSize); > >- m_sizeInBytes = numElements * elementByteSize; >+ m_sizeInBytes = sizeInBytes; > RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE); > m_destructor = [] (void* p) { Gigacage::free(Gigacage::Primitive, p); }; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=370377">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198101
:
370377
|
370390