155234 – Harden JSC Root element functions from bad values

Bug 155234 - Harden JSC Root element functions from bad values

Summary: Harden JSC Root element functions from bad values

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-03-09 09:40 PST by Michael Saboff
Modified:	2016-05-09 20:40 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (2.46 KB, patch) 2016-03-09 09:57 PST, Michael Saboff	saam: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2016-03-09 09:40:59 PST

The Root related functionCreateElement(), functionGetElement() and functionSetElementRoot() currently do not protect against bad values.

In some cases, fuzzer code will cause crashes in this code.

Their jsCast() calls should be replaced with jsDynamicCast() and appropriate checks.

Comment 1 Michael Saboff 2016-03-09 09:57:57 PST

Created attachment 273438 [details]
Patch

Comment 2 Michael Saboff 2016-03-09 10:10:46 PST

Committed r197862: <http://trac.webkit.org/changeset/197862>

Comment 3 David Kilzer (:ddkilzer) 2016-05-09 20:40:20 PDT

<rdar://problem/24291166>