155234 – Harden JSC Root element functions from bad values

RESOLVED FIXED 155234

Harden JSC Root element functions from bad values

https://bugs.webkit.org/show_bug.cgi?id=155234

Summary Harden JSC Root element functions from bad values

Michael Saboff

Reported 2016-03-09 09:40:59 PST

The Root related functionCreateElement(), functionGetElement() and functionSetElementRoot() currently do not protect against bad values. In some cases, fuzzer code will cause crashes in this code. Their jsCast() calls should be replaced with jsDynamicCast() and appropriate checks.

Attachments
Patch (2.46 KB, patch) 2016-03-09 09:57 PST, Michael Saboff	saam: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2016-03-09 09:57:57 PST

Created attachment 273438 [details] Patch

Michael Saboff

Comment 2 2016-03-09 10:10:46 PST

Committed r197862: <http://trac.webkit.org/changeset/197862>

David Kilzer (:ddkilzer)

Comment 3 2016-05-09 20:40:20 PDT

<rdar://problem/24291166>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Michael Saboff

Reported

2016-03-09 09:40 PST

Modified

2016-05-09 20:40 PDT History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks