[webkit-changes] [WebKit/WebKit] ade4ed: CloneDeserializer readTerminal crash

[Commit Queue]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ade4ed3c7a640be43828bdbd82dd416a51f3757a
      https://github.com/WebKit/WebKit/commit/ade4ed3c7a640be43828bdbd82dd416a51f3757a
  Author: Nitin Mahendru <nitinmahendru at apple.com>
  Date:   2024-08-14 (Wed, 14 Aug 2024)

  Changed paths:
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp
    M Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp

  Log Message:
  -----------
  CloneDeserializer readTerminal crash
rdar://126132442
https://bugs.webkit.org/show_bug.cgi?id=272530

Reviewed by Alex Christensen.

Limiting the the depth for serializing/deserializing recursive objects like:
var array = [[[[[....................]]]]]... 2000 times

* Tools/TestWebKitAPI/Tests/WebCore/SerializedScriptValue.cpp:
(TestWebKitAPI::TEST):
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneBase::CloneBase):
(WebCore::CloneBase::isSafeToRecurse):
(WebCore::CloneDeserializer::readArrayBufferViewImpl):
(WebCore::CloneDeserializer::readArrayBufferView):
(WebCore::CloneDeserializer::readTerminal):

Originally-landed-as: 272448.946 at safari-7618-branch (110ae765d426). rdar://132956780
Canonical link: https://commits.webkit.org/282242@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications