Bug 268075
| Summary: | [JSC] TypedArray sorting methods should have a special-case for comparator returning `false` | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | xiaochen guo <M202271709> |
| Component: | JavaScriptCore | Assignee: | Alexey Shvayka <ashvayka> |
| Status: | RESOLVED FIXED | ||
| Severity: | Major | CC: | ashvayka, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=47825 | ||
xiaochen guo
Execute the poc.js below.
let arr = [10, 3, 8, 5, 30, 100, 6, 7, 100, 3]
let obj = new Int8Array(arr);
print(obj.toSorted((x, y) => { return x < y }))
output: 10,3,8,5,30,100,6,7,100,3
expect: 100,100,30,10,8,7,6,5,3,3
Due to the fact that each element in the Int8Array is a number, the expected result of descending sorting would be '100, 100, 30, 10, 8, 7, 6, 5, 3, 3'. I have also tested this in other JavaScript engines, and the results align with expectations. I believe this could potentially pose a security issue.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/122093956>
Alexey Shvayka
Pull request: https://github.com/WebKit/WebKit/pull/25902
EWS
Committed 276130@main (798d1789439a): <https://commits.webkit.org/276130@main>
Reviewed commits have been landed. Closing PR #25902 and removing active labels.