155234 2016-03-09 09:40:59 -0800 Harden JSC Root element functions from bad values 2016-05-09 20:40:20 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 msaboff msaboff commit-queue ddkilzer keith_miller mark.lam saam oldest_to_newest 1172576 0 msaboff 2016-03-09 09:40:59 -0800 The Root related functionCreateElement(), functionGetElement() and functionSetElementRoot() currently do not protect against bad values. In some cases, fuzzer code will cause crashes in this code. Their jsCast() calls should be replaced with jsDynamicCast() and appropriate checks. 1172589 1 273438 msaboff 2016-03-09 09:57:57 -0800 Created attachment 273438 Patch 1172598 2 msaboff 2016-03-09 10:10:46 -0800 Committed r197862: <http://trac.webkit.org/changeset/197862> 1191435 3 ddkilzer 2016-05-09 20:40:20 -0700 <rdar://problem/24291166> 273438 2016-03-09 09:57:57 -0800 2016-03-09 10:09:30 -0800 Patch 155234.patch text/plain 2518 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTk3ODYxKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBA CisyMDE2LTAzLTA5ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIEhhcmRlbiBKU0MgUm9vdCBlbGVtZW50IGZ1bmN0aW9ucyBmcm9tIGJhZCB2YWx1ZXMKKyAg ICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1NTIzNAorCisg ICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIENoYW5nZWQganND YXN0KCkgdG8ganNEeW5hbWljQ2FzdCgpIGluIFJvb3QgcmVsYXRlZCBmdW5jdGlvbiB0byBwcm90 ZWN0IGFnYWluc3QgYmVpbmcKKyAgICAgICAgY2FsbGVkIHdpdGggbm9uLVJvb3QgYXJndW1lbnRz LgorCisgICAgICAgICoganNjLmNwcDoKKyAgICAgICAgKGZ1bmN0aW9uQ3JlYXRlRWxlbWVudCk6 CisgICAgICAgIChmdW5jdGlvbkdldEVsZW1lbnQpOgorICAgICAgICAoZnVuY3Rpb25TZXRFbGVt ZW50Um9vdCk6CisKIDIwMTYtMDMtMDkgIEJlbmphbWluIFBvdWxhaW4gIDxiZW5qYW1pbkB3ZWJr aXQub3JnPgogCiAgICAgICAgIFtKU0NdIFBpY2sgaG93IHRvIE9TUiBFbnRlciB0byBGVEwgYXQg cnVudGltZSBpbnN0ZWFkIG9mIGNvbXBpbGUgdGltZQpJbmRleDogU291cmNlL0phdmFTY3JpcHRD b3JlL2pzYy5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2pzYy5jcHAJ KHJldmlzaW9uIDE5Nzg1NykKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9qc2MuY3BwCSh3b3Jr aW5nIGNvcHkpCkBAIC0xMTc0LDIzICsxMTc0LDI5IEBAIEVuY29kZWRKU1ZhbHVlIEpTQ19IT1NU X0NBTEwgZnVuY3Rpb25DcmUKIEVuY29kZWRKU1ZhbHVlIEpTQ19IT1NUX0NBTEwgZnVuY3Rpb25D cmVhdGVFbGVtZW50KEV4ZWNTdGF0ZSogZXhlYykKIHsKICAgICBKU0xvY2tIb2xkZXIgbG9jayhl eGVjKTsKLSAgICBKU1ZhbHVlIGFyZyA9IGV4ZWMtPmFyZ3VtZW50KDApOwotICAgIHJldHVybiBK U1ZhbHVlOjplbmNvZGUoRWxlbWVudDo6Y3JlYXRlKGV4ZWMtPnZtKCksIGV4ZWMtPmxleGljYWxH bG9iYWxPYmplY3QoKSwgYXJnLmlzTnVsbCgpID8gbnVsbHB0ciA6IGpzQ2FzdDxSb290Kj4oZXhl Yy0+YXJndW1lbnQoMCkpKSk7CisgICAgUm9vdCogcm9vdCA9IGpzRHluYW1pY0Nhc3Q8Um9vdCo+ KGV4ZWMtPmFyZ3VtZW50KDApKTsKKyAgICBpZiAoIXJvb3QpCisgICAgICAgIHJldHVybiBKU1Zh bHVlOjplbmNvZGUoanNVbmRlZmluZWQoKSk7CisgICAgcmV0dXJuIEpTVmFsdWU6OmVuY29kZShF bGVtZW50OjpjcmVhdGUoZXhlYy0+dm0oKSwgZXhlYy0+bGV4aWNhbEdsb2JhbE9iamVjdCgpLCBy b290KSk7CiB9CiAKIEVuY29kZWRKU1ZhbHVlIEpTQ19IT1NUX0NBTEwgZnVuY3Rpb25HZXRFbGVt ZW50KEV4ZWNTdGF0ZSogZXhlYykKIHsKICAgICBKU0xvY2tIb2xkZXIgbG9jayhleGVjKTsKLSAg ICBFbGVtZW50KiByZXN1bHQgPSBqc0Nhc3Q8Um9vdCo+KGV4ZWMtPmFyZ3VtZW50KDApLmFzQ2Vs bCgpKS0+ZWxlbWVudCgpOworICAgIFJvb3QqIHJvb3QgPSBqc0R5bmFtaWNDYXN0PFJvb3QqPihl eGVjLT5hcmd1bWVudCgwKSk7CisgICAgaWYgKCFyb290KQorICAgICAgICByZXR1cm4gSlNWYWx1 ZTo6ZW5jb2RlKGpzVW5kZWZpbmVkKCkpOworICAgIEVsZW1lbnQqIHJlc3VsdCA9IHJvb3QtPmVs ZW1lbnQoKTsKICAgICByZXR1cm4gSlNWYWx1ZTo6ZW5jb2RlKHJlc3VsdCA/IHJlc3VsdCA6IGpz VW5kZWZpbmVkKCkpOwogfQogCiBFbmNvZGVkSlNWYWx1ZSBKU0NfSE9TVF9DQUxMIGZ1bmN0aW9u U2V0RWxlbWVudFJvb3QoRXhlY1N0YXRlKiBleGVjKQogewogICAgIEpTTG9ja0hvbGRlciBsb2Nr KGV4ZWMpOwotICAgIEVsZW1lbnQqIGVsZW1lbnQgPSBqc0Nhc3Q8RWxlbWVudCo+KGV4ZWMtPmFy Z3VtZW50KDApKTsKLSAgICBSb290KiByb290ID0ganNDYXN0PFJvb3QqPihleGVjLT5hcmd1bWVu dCgxKSk7Ci0gICAgZWxlbWVudC0+c2V0Um9vdChleGVjLT52bSgpLCByb290KTsKKyAgICBFbGVt ZW50KiBlbGVtZW50ID0ganNEeW5hbWljQ2FzdDxFbGVtZW50Kj4oZXhlYy0+YXJndW1lbnQoMCkp OworICAgIFJvb3QqIHJvb3QgPSBqc0R5bmFtaWNDYXN0PFJvb3QqPihleGVjLT5hcmd1bWVudCgx KSk7CisgICAgaWYgKGVsZW1lbnQgJiYgcm9vdCkKKyAgICAgICAgZWxlbWVudC0+c2V0Um9vdChl eGVjLT52bSgpLCByb290KTsKICAgICByZXR1cm4gSlNWYWx1ZTo6ZW5jb2RlKGpzVW5kZWZpbmVk KCkpOwogfQogCg==