Bug 159495

Summary: Return values of JSArray::createUninitialized (and related) are not consistently checked for nullptr
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: WebCore Misc.Assignee: Brent Fulgham <bfulgham>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, commit-queue, dino, esprehn+autocc, gyuyoung.kim, kondapallykalyan, mkwst, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=160014
Attachments:
Description Flags
Patch
none
Patch none

Brent Fulgham
Reported 2016-07-06 15:53:52 PDT
Various members of the JSArray class hierarchy provide some version of createUninitialized/tryCreateUninitialized. These implementations return nullptr when various bad conditions exist, such as requests greater than available memory, etc. While we have nullptr checks in most places, there are a number of cases where these are not present. This makes it possible for arbitrary web content to crash WebKit through a nullptr dereference.
Attachments
Patch (10.71 KB, patch)
2016-07-06 16:57 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Patch (12.07 KB, patch)
2016-07-06 17:39 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2016-07-06 16:57:29 PDT
Created attachment 282964 [details] Patch
Brent Fulgham
Comment 2 2016-07-06 16:59:20 PDT
<rdar://problem/26075433>
Geoffrey Garen
Comment 3 2016-07-06 17:00:12 PDT
Comment on attachment 282964 [details] Patch Why are we logging these failures instead of throwing a JS exception?
Dean Jackson
Comment 4 2016-07-06 17:02:51 PDT
Comment on attachment 282964 [details] Patch Why didn't we see a log in the test output?
Brent Fulgham
Comment 5 2016-07-06 17:15:06 PDT
(In reply to comment #4) > Comment on attachment 282964 [details] > Patch > > Why didn't we see a log in the test output? It shows up in the stderr, so if the test fails you actually can see the logging output. I don't know how to get WTFLogAlways stuff into test output.
Brent Fulgham
Comment 6 2016-07-06 17:29:43 PDT
(In reply to comment #3) > Comment on attachment 282964 [details] > Patch > > Why are we logging these failures instead of throwing a JS exception? I don't think we throw JS exceptions from deep inside platform code (or at least a quick search didn't find anything helpful). I definitely CAN do so in CanvasRenderingContext2D::getImageData, which makes the test much clearer.
Brent Fulgham
Comment 7 2016-07-06 17:39:20 PDT
Created attachment 282969 [details] Patch
WebKit Commit Bot
Comment 8 2016-07-06 18:03:34 PDT
Comment on attachment 282969 [details] Patch Clearing flags on attachment: 282969 Committed r202887: <http://trac.webkit.org/changeset/202887>
WebKit Commit Bot
Comment 9 2016-07-06 18:03:39 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.