RESOLVED FIXED254331
Aborted at Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113) 
https://bugs.webkit.org/show_bug.cgi?id=254331
Summary Aborted at Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113)
xiangwei1895
Reported 2023-03-23 06:16:01 PDT
my JSC crashed when executing the following code: PoC: const v2 = new Int16Array(59925); function f3(a4, a5, a6, a7) { const o10 = { "maxByteLength": 786701, }; const v12 = new ArrayBuffer(32, o10); return a6; } v2.forEach(f3); mprotect failed: Cannot allocate memory SHOULD NEVER BE REACHED /home/data/WebKit/Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113) : WTF::RefPtr<JSC::BufferMemoryHandle> JSC::tryAllocateResizableMemory(VM*, size_t, size_t) Aborted (core dumped)
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2023-03-23 15:00:10 PDT
On macOS Apple Silicon, I get an exception and no crash. >>> const v2 = new Int16Array(59925); undefined >>> function f3(a4, a5, a6, a7) { ... const o10 = { ... "maxByteLength": 786701, ... }; ... const v12 = new ArrayBuffer(32, o10); ... return a6; ... } undefined >>> v2.forEach(f3); Exception: RangeError: Out of memory >>>
Yusuke Suzuki
Comment 2 2023-03-23 15:28:18 PDT
This is memory exhaustion on Linux platform, and RELEASE_ASSERT_NOT_REACHED. Thus, not a security issue.
Note You need to log in before you can comment on or make changes to this bug.