WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
160680
Use after free in JS array sort
https://bugs.webkit.org/show_bug.cgi?id=160680
Summary
Use after free in JS array sort
Don Olmstead
Reported
2016-08-08 17:22:56 PDT
Created
attachment 285614
[details]
Example exploit A use after free occurs in the sort of the JS array. In the attached exploit `z.toString()` was evaluated and a new element was pushed to W in the function triggering a growth and reallocation of the array. However it tried to write the sorted elements onto the old already freed memory. The patch updates the location of `data` before writing to it. This bug was present from revisions 130826 to 183570. It has not been exploitable for awhile but is being reported in case there are other places that may have similar issues, and so a test case might be implemented to ensure it doesn't crop up again.
Attachments
Example exploit
(331 bytes, text/html)
2016-08-08 17:22 PDT
,
Don Olmstead
no flags
Details
Fix for use after free
(1.84 KB, patch)
2016-08-08 17:24 PDT
,
Don Olmstead
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2016-08-08 17:23:21 PDT
<
rdar://problem/27757708
>
Don Olmstead
Comment 2
2016-08-08 17:24:48 PDT
Created
attachment 285617
[details]
Fix for use after free
Don Olmstead
Comment 3
2016-08-08 17:26:00 PDT
Fixed in 183570
Brent Fulgham
Comment 4
2016-08-08 17:27:33 PDT
Fix committed in
r183570
<
https://trac.webkit.org/changeset/183570/
>.
Brent Fulgham
Comment 5
2016-08-10 13:09:04 PDT
Note: We should turn the exploit example into a test case so we can guard against this in the future.
Brent Fulgham
Comment 6
2016-08-10 13:24:08 PDT
Test case added: Committed in
r204344
<
https://trac.webkit.org/changeset/204344
>.
Brent Fulgham
Comment 7
2018-02-16 13:40:25 PST
This fix shipped a few years ago, opening for public access.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug