169055 – REGRESSION(r213222) Possible use after free when setting some string based Options

Bug 169055 - REGRESSION(r213222) Possible use after free when setting some string based Options

Summary: REGRESSION(r213222) Possible use after free when setting some string based Op...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:

Depends on:
Blocks:	169029
	Show dependency tree / graph

Reported:	2017-03-01 14:00 PST by Michael Saboff
Modified:	2017-03-01 22:31 PST (History)
CC List:	4 users (show)

See Also:	169057

Attachments
Patch (2.33 KB, patch) 2017-03-01 14:08 PST, Michael Saboff	mark.lam: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2017-03-01 14:00:28 PST

Change set r213222 could introduce use after free when setting certain options.

Comment 1 Michael Saboff 2017-03-01 14:08:27 PST

Created attachment 303116 [details]
Patch

Comment 2 Mark Lam 2017-03-01 14:14:43 PST

Comment on attachment 303116 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=303116&action=review

r=me

> Source/JavaScriptCore/runtime/Options.cpp:110
> +    // FIXME: This could leak if this option is set more than once.
> +    // Given that Options are typically used for testing, this isn't considered to be a problem.

Please add a bugzilla URL for this FIXME.

> Source/JavaScriptCore/runtime/Options.cpp:253
> +    // FIXME: This could leak if this particular option is set more than once.
> +    // Given that these options are used for testing, this isn't considered to be problem.

Ditto: please add a bugzilla URL.

Comment 3 Michael Saboff 2017-03-01 14:27:18 PST

Committed r213242: <http://trac.webkit.org/changeset/213242>