119281 2013-07-30 15:27:53 -0700 GetByVal on Arguments does the wrong size load when checking the Arguments object length 2013-07-30 15:40:42 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mhahnenberg mhahnenberg ggaren webkit-bug-importer oldest_to_newest 913051 0 mhahnenberg 2013-07-30 15:27:53 -0700 This leads to out of bounds accesses and subsequent crashes. Patch on its way. 913055 1 207775 mhahnenberg 2013-07-30 15:29:44 -0700 Created attachment 207775 Patch 913056 2 207775 ggaren 2013-07-30 15:32:11 -0700 Comment on attachment 207775 Patch r=me 913057 3 ggaren 2013-07-30 15:33:17 -0700 <rdar://problem/14527940> 913060 4 mhahnenberg 2013-07-30 15:40:42 -0700 Committed r153500: <http://trac.webkit.org/changeset/153500> 207775 2013-07-30 15:29:44 -0700 2013-07-30 15:32:11 -0700 Patch bug-119281-20130730153344.patch text/plain 4840 mhahnenberg SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTUzNDk5KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBA CisyMDEzLTA3LTMwICBNYXJrIEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBsZS5jb20+CisK KyAgICAgICAgR2V0QnlWYWwgb24gQXJndW1lbnRzIGRvZXMgdGhlIHdyb25nIHNpemUgbG9hZCB3 aGVuIGNoZWNraW5nIHRoZSBBcmd1bWVudHMgb2JqZWN0IGxlbmd0aAorICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTE5MjgxCisKKyAgICAgICAgUmV2aWV3 ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhpcyBsZWFkcyB0byBvdXQgb2YgYm91 bmRzIGFjY2Vzc2VzIGFuZCBzdWJzZXF1ZW50IGNyYXNoZXMuCisKKyAgICAgICAgKiBkZmcvREZH U3BlY3VsYXRpdmVKSVQuY3BwOgorICAgICAgICAoSlNDOjpERkc6OlNwZWN1bGF0aXZlSklUOjpj b21waWxlR2V0QnlWYWxPbkFyZ3VtZW50cyk6CisgICAgICAgICogZGZnL0RGR1NwZWN1bGF0aXZl SklUNjQuY3BwOgorICAgICAgICAoSlNDOjpERkc6OlNwZWN1bGF0aXZlSklUOjpjb21waWxlKToK KwogMjAxMy0wNy0zMCAgT2xpdmVyIEh1bnQgIDxvbGl2ZXJAYXBwbGUuY29tPgogCiAgICAgICAg IEFkZCBhbiBhc3NlcnRpb24gdG8gU3BlY3VsYXRlQ2VsbE9wZXJhbmQKSW5kZXg6IFNvdXJjZS9K YXZhU2NyaXB0Q29yZS9kZmcvREZHU3BlY3VsYXRpdmVKSVQ2NC5jcHAKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0g U291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJVDY0LmNwcAkocmV2aXNp b24gMTUzNDM4KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJ VDY0LmNwcAkod29ya2luZyBjb3B5KQpAQCAtMjgzOSw3ICsyODM5LDcgQEAgdm9pZCBTcGVjdWxh dGl2ZUpJVDo6Y29tcGlsZShOb2RlKiBub2RlKQogICAgICAgICAgICAgLy8gVHdvIHJlYWxseSBs YW1lIGNoZWNrcy4KICAgICAgICAgICAgIHNwZWN1bGF0aW9uQ2hlY2soCiAgICAgICAgICAgICAg ICAgVW5jb3VudGFibGUsIEpTVmFsdWVTb3VyY2UoKSwgMCwKLSAgICAgICAgICAgICAgICBtX2pp dC5icmFuY2hQdHIoCisgICAgICAgICAgICAgICAgbV9qaXQuYnJhbmNoMzIoCiAgICAgICAgICAg ICAgICAgICAgIE1hY3JvQXNzZW1ibGVyOjpBYm92ZU9yRXF1YWwsIHByb3BlcnR5UmVnLAogICAg ICAgICAgICAgICAgICAgICBNYWNyb0Fzc2VtYmxlcjo6QWRkcmVzcyhiYXNlUmVnLCBPQkpFQ1Rf T0ZGU0VUT0YoQXJndW1lbnRzLCBtX251bUFyZ3VtZW50cykpKSk7CiAgICAgICAgICAgICBzcGVj dWxhdGlvbkNoZWNrKApJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxh dGl2ZUpJVC5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdT cGVjdWxhdGl2ZUpJVC5jcHAJKHJldmlzaW9uIDE1MzQzOCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0 Q29yZS9kZmcvREZHU3BlY3VsYXRpdmVKSVQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC00MDc1LDcg KzQwNzUsNyBAQCB2b2lkIFNwZWN1bGF0aXZlSklUOjpjb21waWxlR2V0QnlWYWxPbkFyCiAgICAg Ly8gVHdvIHJlYWxseSBsYW1lIGNoZWNrcy4KICAgICBzcGVjdWxhdGlvbkNoZWNrKAogICAgICAg ICBVbmNvdW50YWJsZSwgSlNWYWx1ZVNvdXJjZSgpLCAwLAotICAgICAgICBtX2ppdC5icmFuY2hQ dHIoCisgICAgICAgIG1faml0LmJyYW5jaDMyKAogICAgICAgICAgICAgTWFjcm9Bc3NlbWJsZXI6 OkFib3ZlT3JFcXVhbCwgcHJvcGVydHlSZWcsCiAgICAgICAgICAgICBNYWNyb0Fzc2VtYmxlcjo6 QWRkcmVzcyhiYXNlUmVnLCBPQkpFQ1RfT0ZGU0VUT0YoQXJndW1lbnRzLCBtX251bUFyZ3VtZW50 cykpKSk7CiAgICAgc3BlY3VsYXRpb25DaGVjaygKSW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxv Zwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHJldmlzaW9uIDE1MzQ5OSkK KysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBA CisyMDEzLTA3LTMwICBNYXJrIEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBsZS5jb20+CisK KyAgICAgICAgR2V0QnlWYWwgb24gQXJndW1lbnRzIGRvZXMgdGhlIHdyb25nIHNpemUgbG9hZCB3 aGVuIGNoZWNraW5nIHRoZSBBcmd1bWVudHMgb2JqZWN0IGxlbmd0aAorICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTE5MjgxCisKKyAgICAgICAgUmV2aWV3 ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBmYXN0L2pzL2RmZy1zdHJpY3QtbW9k ZS1hcmd1bWVudHMtZ2V0LWJleW9uZC1sZW5ndGgtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAg ICAgKiBmYXN0L2pzL2RmZy1zdHJpY3QtbW9kZS1hcmd1bWVudHMtZ2V0LWJleW9uZC1sZW5ndGgu aHRtbDogQWRkZWQuCisgICAgICAgICogZmFzdC9qcy9zY3JpcHQtdGVzdHMvZGZnLXN0cmljdC1t b2RlLWFyZ3VtZW50cy1nZXQtYmV5b25kLWxlbmd0aC5qczogQWRkZWQuCisgICAgICAgIChmb28p OgorICAgICAgICAoYmFyKToKKwogMjAxMy0wNy0zMCAgQWxleGV5IFByb3NrdXJ5YWtvdiAgPGFw QGFwcGxlLmNvbT4KIAogICAgICAgICBSRUdSRVNTSU9OKHIxMzkyODIpOiBGaXggZG9jdW1lbnQg bGVhayB3aGVuIHNlbGVjdGlvbiBpcyBjcmVhdGVkIGluc2lkZSB0aGUgZG9jdW1lbnQKSW5kZXg6 IExheW91dFRlc3RzL2Zhc3QvanMvZGZnLXN0cmljdC1tb2RlLWFyZ3VtZW50cy1nZXQtYmV5b25k LWxlbmd0aC1leHBlY3RlZC50eHQKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9qcy9k Zmctc3RyaWN0LW1vZGUtYXJndW1lbnRzLWdldC1iZXlvbmQtbGVuZ3RoLWV4cGVjdGVkLnR4dAko cmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2Zhc3QvanMvZGZnLXN0cmljdC1tb2RlLWFyZ3Vt ZW50cy1nZXQtYmV5b25kLWxlbmd0aC1leHBlY3RlZC50eHQJKHdvcmtpbmcgY29weSkKQEAgLTAs MCArMSw0IEBACitQQVNTIHN1Y2Nlc3NmdWxseVBhcnNlZCBpcyB0cnVlCisKK1RFU1QgQ09NUExF VEUKKwpJbmRleDogTGF5b3V0VGVzdHMvZmFzdC9qcy9kZmctc3RyaWN0LW1vZGUtYXJndW1lbnRz LWdldC1iZXlvbmQtbGVuZ3RoLmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9q cy9kZmctc3RyaWN0LW1vZGUtYXJndW1lbnRzLWdldC1iZXlvbmQtbGVuZ3RoLmh0bWwJKHJldmlz aW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L2pzL2RmZy1zdHJpY3QtbW9kZS1hcmd1bWVudHMt Z2V0LWJleW9uZC1sZW5ndGguaHRtbAkod29ya2luZyBjb3B5KQpAQCAtMCwwICsxLDEwIEBACis8 IURPQ1RZUEUgSFRNTCBQVUJMSUMgIi0vL0lFVEYvL0RURCBIVE1MLy9FTiI+Cis8aHRtbD4KKzxo ZWFkPgorPHNjcmlwdCBzcmM9InJlc291cmNlcy9qcy10ZXN0LXByZS5qcyI+PC9zY3JpcHQ+Cis8 L2hlYWQ+Cis8Ym9keT4KKzxzY3JpcHQgc3JjPSJzY3JpcHQtdGVzdHMvZGZnLXN0cmljdC1tb2Rl LWFyZ3VtZW50cy1nZXQtYmV5b25kLWxlbmd0aC5qcyI+PC9zY3JpcHQ+Cis8c2NyaXB0IHNyYz0i cmVzb3VyY2VzL2pzLXRlc3QtcG9zdC5qcyI+PC9zY3JpcHQ+Cis8L2JvZHk+Cis8L2h0bWw+Cklu ZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2pzL3NjcmlwdC10ZXN0cy9kZmctc3RyaWN0LW1vZGUtYXJn dW1lbnRzLWdldC1iZXlvbmQtbGVuZ3RoLmpzCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2Zh c3QvanMvc2NyaXB0LXRlc3RzL2RmZy1zdHJpY3QtbW9kZS1hcmd1bWVudHMtZ2V0LWJleW9uZC1s ZW5ndGguanMJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L2pzL3NjcmlwdC10ZXN0 cy9kZmctc3RyaWN0LW1vZGUtYXJndW1lbnRzLWdldC1iZXlvbmQtbGVuZ3RoLmpzCSh3b3JraW5n IGNvcHkpCkBAIC0wLDAgKzEsMjEgQEAKKyJ1c2Ugc3RyaWN0IjsKKworZnVuY3Rpb24gZm9vKGFy Z3MsIGkpIHsKKyAgICByZXR1cm4gYXJnc1tpXTsKK30KKworZnVuY3Rpb24gYmFyKGkpIHsKKyAg ICByZXR1cm4gZm9vKGFyZ3VtZW50cywgaSk7Cit9CisKK25vSW5saW5lKGZvbyk7Citub0lubGlu ZShiYXIpOworCit3aGlsZSAoIWRmZ0NvbXBpbGVkKHtmOmZvb30pKQorICAgIGJhcigwKTsKKwor Zm9yICh2YXIgaSA9IDE7IGkgPD0gMTAwMDsgaSsrKSB7CisgICAgdmFyIHJlc3VsdCA9IGJhcihp KTsKKyAgICBpZiAocmVzdWx0ICE9PSB1bmRlZmluZWQpCisgICAgICAgIHRocm93ICJFeHBlY3Rl ZCB1bmRlZmluZWQgYXQgaW5kZXggIiArIGkgKyAiLCBnb3Q6ICIgKyByZXN1bHQ7Cit9Cg==