[webkit-changes] [WebKit/WebKit] f047d0: [WGSL] UAF in GlobalVariableRewriter
Tadeu Zagallo
noreply at github.com
Thu Aug 3 12:15:31 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f047d0a6e29e4911ce20cde9ba3b558350d749e7
https://github.com/WebKit/WebKit/commit/f047d0a6e29e4911ce20cde9ba3b558350d749e7
Author: Tadeu Zagallo <tzagallo at apple.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M Source/WebGPU/WGSL/GlobalVariableRewriter.cpp
Log Message:
-----------
[WGSL] UAF in GlobalVariableRewriter
https://bugs.webkit.org/show_bug.cgi?id=259696
rdar://113215682
Reviewed by Dan Glastonbury.
The GlobalVariableRewriter kept pointers to globals, which are values in the HashMap,
but those pointers result in a UAF once the HashMap gets resized. To fix it, instead
of storing the pointers, we just store the keys we perform another lookup. This shouldn't
be an issue since we only look it up once.
No test added because it reproduces on the existing tests with ASAN enabled.
* Source/WebGPU/WGSL/GlobalVariableRewriter.cpp:
(WGSL::RewriteGlobalVariables::collectGlobals):
(WGSL::RewriteGlobalVariables::insertStructs):
Canonical link: https://commits.webkit.org/266546@main
More information about the webkit-changes
mailing list