Summary: | [JSC] HeapUtil should care about pointer overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Yusuke Suzuki <ysuzuki> | ||||
Component: | New Bugs | Assignee: | Yusuke Suzuki <ysuzuki> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Yusuke Suzuki
2018-08-20 00:31:02 PDT
Created attachment 347485 [details]
Patch
Comment on attachment 347485 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=347485&action=review > Source/JavaScriptCore/ChangeLog:3 > + [JSC] HeapUtil should care pointer overflow care pointer => care about pointer > Source/JavaScriptCore/ChangeLog:8 > + `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer is overflow. is overflow => overflows Comment on attachment 347485 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=347485&action=review Thank you! >> Source/JavaScriptCore/ChangeLog:3 >> + [JSC] HeapUtil should care pointer overflow > > care pointer => care about pointer Thanks, fixed. >> Source/JavaScriptCore/ChangeLog:8 >> + `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer is overflow. > > is overflow => overflows Fixed. Committed r235161: <https://trac.webkit.org/changeset/235161> |