RESOLVED FIXED 187444
PropertyTable::skipDeletedEntries() should guard against iterating past the table end. 
https://bugs.webkit.org/show_bug.cgi?id=187444
Summary PropertyTable::skipDeletedEntries() should guard against iterating past the t...
Mark Lam
Reported 2018-07-08 00:35:34 PDT
PropertyTable supports C++ iteration by offering begin() and end() methods, and an iterator class. The begin() methods and the iterator operator++() method uses PropertyTable::skipDeletedEntries() to skip over deleted entries in the table. However, PropertyTable::skipDeletedEntries() does not prevent the iteration pointer from being incremented past the end of the table. As a result, we can iterate past the end of the table. Note that the C++ iteration protocol tests for the iterator not being equal to the end() value. It does not do a <= test. If the iterator ever shoots past end, the loop will effectively not terminate. This issue can manifest if and only if the last entry in the table is a deleted one. <rdar://problem/41282849>
Attachments
proposed patch. (5.28 KB, patch)
2018-07-08 01:11 PDT, Mark Lam 		mark.lam: review-
DetailsFormatted DiffDiff
proposed patch. (4.99 KB, patch)
2018-07-08 01:14 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2018-07-08 01:11:47 PDT
Created attachment 344540 [details] proposed patch.
Mark Lam
Comment 2 2018-07-08 01:14:48 PDT
Created attachment 344541 [details] proposed patch.
Saam Barati
Comment 3 2018-07-08 01:58:58 PDT
Comment on attachment 344541 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=344541&action=review > Source/JavaScriptCore/ChangeLog:18 > + This issue can manifest if and only if the last entry in the table is a deleted Crazy
Mark Lam
Comment 4 2018-07-08 02:27:25 PDT
Comment on attachment 344541 [details] proposed patch. Thanks for the review. Landing.
WebKit Commit Bot
Comment 5 2018-07-08 02:54:57 PDT
Comment on attachment 344541 [details] proposed patch. Clearing flags on attachment: 344541 Committed r233625: <https://trac.webkit.org/changeset/233625>
WebKit Commit Bot
Comment 6 2018-07-08 02:54:59 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.