RESOLVED FIXED 198101
[JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes 
https://bugs.webkit.org/show_bug.cgi?id=198101
Summary [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size...
Yusuke Suzuki
Reported 2019-05-21 20:39:35 PDT
But we have some special path for 0 bytes. In this case, allocation size and sizeInBytes become different => authentication failure.
Attachments
Patch (2.36 KB, patch)
2019-05-21 20:45 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (4.36 KB, patch)
2019-05-22 02:42 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2019-05-21 20:40:25 PDT
<rdar://problem/50754184>
Yusuke Suzuki
Comment 2 2019-05-21 20:45:58 PDT
Created attachment 370377 [details] Patch WIP, checking that this actually fixes the issue
Yusuke Suzuki
Comment 3 2019-05-22 02:42:20 PDT
Created attachment 370390 [details] Patch
Michael Saboff
Comment 4 2019-05-22 08:59:05 PDT
Comment on attachment 370390 [details] Patch r=me
Yusuke Suzuki
Comment 5 2019-05-22 10:09:55 PDT
Comment on attachment 370390 [details] Patch Thanks!
WebKit Commit Bot
Comment 6 2019-05-22 10:21:26 PDT
Comment on attachment 370390 [details] Patch Clearing flags on attachment: 370390 Committed r245622: <https://trac.webkit.org/changeset/245622>
WebKit Commit Bot
Comment 7 2019-05-22 10:21:28 PDT
All reviewed patches have been landed. Closing bug.
Keith Miller
Comment 8 2019-05-22 10:22:54 PDT
Comment on attachment 370390 [details] Patch Whoops! That would do it...
Note You need to log in before you can comment on or make changes to this bug.