Bug 298606 (CVE-2025-43457)

Summary: Array allocation sinking should split allocations into two, an Array allocation and a Butterfly allocation
Product: WebKit Reporter: Keith Miller <keith_miller>
Component: JavaScriptCoreAssignee: Keith Miller <keith_miller>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, mcatanzaro, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 298671    
Bug Blocks:    

Keith Miller
Reported 2025-09-09 10:26:25 PDT
...
Attachments
Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2025-09-09 10:26:28 PDT
<rdar://problem/159207754>
Keith Miller
Comment 2 2025-09-09 10:59:39 PDT
Pull request: https://github.com/WebKit/WebKit/pull/50502
EWS
Comment 3 2025-09-10 05:40:29 PDT
Committed 299806@main (f014a3289076): <https://commits.webkit.org/299806@main> Reviewed commits have been landed. Closing PR #50502 and removing active labels.
WebKit Commit Bot
Comment 4 2025-09-10 10:49:23 PDT
Re-opened since this is blocked by bug 298671
Keith Miller
Comment 5 2025-09-12 10:02:59 PDT
Pull request: https://github.com/WebKit/WebKit/pull/50661
EWS
Comment 6 2025-09-17 18:32:35 PDT
Committed 300129@main (c3b478c1983f): <https://commits.webkit.org/300129@main> Reviewed commits have been landed. Closing PR #50661 and removing active labels.
EWS
Comment 7 2025-09-19 15:13:27 PDT
Committed 297297.440@safari-7622-branch (99f0be62c77c): <https://commits.webkit.org/297297.440@safari-7622-branch> Reviewed commits have been landed. Closing PR #3668 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.