RESOLVED INVALID111111
Actually check isHTMLUnknownElement() in toHTMLUnknownElement(). 
https://bugs.webkit.org/show_bug.cgi?id=111111
Summary Actually check isHTMLUnknownElement() in toHTMLUnknownElement().
Thomas Sepez
Reported 2013-02-28 14:01:32 PST
There already is an ASSERT_WITH_SECURITY_IMPLICATION() for this exact check in toHTMLUnknownElement(). Code inspection shows this function is only called from the wrapper creation code paths, so performance doesn't matter. This is the path that freed/corrupted/crafted blocks will take on their way out to JS when retrieved via a path that treats them as some sort of element. There don't appear to be any other memory accesses in the call sequence that can't be overcome by crafted memory. So ... take one last shot that the vtable is valid (or at least points at a function that expects no arguments and returns true) before giving JS a neatly wrapped block of freed memory.
Attachments
Patch. (1.41 KB, patch)
2013-02-28 16:04 PST, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2013-02-28 16:04:30 PST
Created attachment 190832 [details] Patch.
Darin Adler
Comment 2 2013-04-08 17:50:24 PDT
This is incorrect. That’s not what these toXXX functions are for; they are not supposed to do runtime checks in release builds. If we change the family of functions, we would not change the whole family, not just this specific one.
Note You need to log in before you can comment on or make changes to this bug.