Bug 119281 - GetByVal on Arguments does the wrong size load when checking the Arguments object length
Summary: GetByVal on Arguments does the wrong size load when checking the Arguments ob...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Hahnenberg
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2013-07-30 15:27 PDT by Mark Hahnenberg
Modified: 2013-07-30 15:40 PDT (History)
2 users (show)

See Also:

Attachments
Patch (4.73 KB, patch)
2013-07-30 15:29 PDT, Mark Hahnenberg 		ggaren: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Hahnenberg 2013-07-30 15:27:53 PDT 
This leads to out of bounds accesses and subsequent crashes. Patch on its way.
Comment 1 Mark Hahnenberg 2013-07-30 15:29:44 PDT 
Created attachment 207775 [details]
Patch
Comment 2 Geoffrey Garen 2013-07-30 15:32:11 PDT 
Comment on attachment 207775 [details]
Patch

r=me
Comment 3 Geoffrey Garen 2013-07-30 15:33:17 PDT 
<rdar://problem/14527940>
Comment 4 Mark Hahnenberg 2013-07-30 15:40:42 PDT 
Committed r153500: <http://trac.webkit.org/changeset/153500>