196746 – We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp

RESOLVED FIXED196746

We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp

https://bugs.webkit.org/show_bug.cgi?id=196746

Summary We should clear m_needsOverflowCheck when hitting an exception in definePrope...

Robin Morisset

Reported 2019-04-09 15:02:04 PDT

Currently we correctly do so when toPropertyDescriptor fails, but not when properties->get(exec, propertyNames[i]); does. This can turn an OOM into a crash, because of the check in ~MarkedArgumentBuffer. The fix is a trivial call to markBuffer.overflowCheckNotNeeded() on that path.

Attachments
Patch (3.77 KB, patch) 2019-04-09 15:29 PDT, Robin Morisset	ysuzuki: review+	Details Formatted Diff Diff
Patch for landing (3.76 KB, patch) 2019-04-10 10:47 PDT, Robin Morisset	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Robin Morisset

Comment 1 2019-04-09 15:02:21 PDT

rdar://problem/49555709

Robin Morisset

Comment 2 2019-04-09 15:29:54 PDT

Created attachment 367074 [details] Patch

EWS Watchlist

Comment 3 2019-04-09 15:31:32 PDT

Attachment 367074 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:8: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: buffer overflow [changelog/unwantedsecurityterms] [3] ERROR: Source/JavaScriptCore/runtime/ObjectConstructor.cpp:614: Missing space before ( in while( [whitespace/parens] [5] Total errors found: 2 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.

Yusuke Suzuki

Comment 4 2019-04-09 18:18:40 PDT

Comment on attachment 367074 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=367074&action=review r=me with nit. > Source/JavaScriptCore/runtime/ObjectConstructor.cpp:620 > + RETURN_IF_EXCEPTION_CLEARING_OVERFLOW(jsNull()); We can use `{ }` instead of `jsNull()`.

Robin Morisset

Comment 5 2019-04-10 10:47:16 PDT

Created attachment 367138 [details] Patch for landing

WebKit Commit Bot

Comment 6 2019-04-10 11:05:06 PDT

Comment on attachment 367138 [details] Patch for landing Clearing flags on attachment: 367138 Committed r244136: <https://trac.webkit.org/changeset/244136>

WebKit Commit Bot

Comment 7 2019-04-10 11:05:07 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Robin Morisset

Reported

2019-04-09 15:02 PDT

Modified

2019-04-10 11:05 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks