Currently we correctly do so when toPropertyDescriptor fails, but not when properties->get(exec, propertyNames[i]); does. This can turn an OOM into a crash, because of the check in ~MarkedArgumentBuffer. The fix is a trivial call to markBuffer.overflowCheckNotNeeded() on that path.
rdar://problem/49555709
Created attachment 367074 [details] Patch
Attachment 367074 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:8: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: buffer overflow [changelog/unwantedsecurityterms] [3] ERROR: Source/JavaScriptCore/runtime/ObjectConstructor.cpp:614: Missing space before ( in while( [whitespace/parens] [5] Total errors found: 2 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 367074 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=367074&action=review r=me with nit. > Source/JavaScriptCore/runtime/ObjectConstructor.cpp:620 > + RETURN_IF_EXCEPTION_CLEARING_OVERFLOW(jsNull()); We can use `{ }` instead of `jsNull()`.
Created attachment 367138 [details] Patch for landing
Comment on attachment 367138 [details] Patch for landing Clearing flags on attachment: 367138 Committed r244136: <https://trac.webkit.org/changeset/244136>
All reviewed patches have been landed. Closing bug.