[webkit-changes] [WebKit/WebKit] 4d2933: [JSC] Harden CustomGetterSetter by adding MethodTa...

Wed May 22 15:43:08 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 4d29332a09b0f3b17eff2d44f464dd8dff77cad0
      https://github.com/WebKit/WebKit/commit/4d29332a09b0f3b17eff2d44f464dd8dff77cad0
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2024-05-22 (Wed, 22 May 2024)

  Changed paths:
    M Source/JavaScriptCore/runtime/CustomGetterSetter.h

  Log Message:
  -----------
  [JSC] Harden CustomGetterSetter by adding MethodTable overrides that always crash
https://bugs.webkit.org/show_bug.cgi?id=268897
<rdar://122171568>

Reviewed by Mark Lam.

Just like GetterSetter, CustomGetterSetter is never purposely exposed to userland code.
However, to make exploitation of accidentally exposed CustomGetterSetter objects difficult, this
patch implements MethodTable overrides that abort the program when reached, similar to GetterSetter.

* Source/JavaScriptCore/runtime/CustomGetterSetter.h:
(JSC::CustomGetterSetter::getOwnPropertySlot):
(JSC::CustomGetterSetter::put):
(JSC::CustomGetterSetter::putByIndex):
(JSC::CustomGetterSetter::setPrototype):
(JSC::CustomGetterSetter::defineOwnProperty):
(JSC::CustomGetterSetter::deleteProperty):

Originally-landed-as: 272448.523 at safari-7618-branch (66d8614c41ca). rdar://128498125
Canonical link: https://commits.webkit.org/279156@main

  Commit: b287b6cc9662e88415c7958132ab001431b35f9f
      https://github.com/WebKit/WebKit/commit/b287b6cc9662e88415c7958132ab001431b35f9f
  Author: Erica Li <lerica at apple.com>
  Date:   2024-05-22 (Wed, 22 May 2024)

  Changed paths:
    A LayoutTests/ipc/create-media-source-with-invalid-constraints-crash-expected.txt
    A LayoutTests/ipc/create-media-source-with-invalid-constraints-crash.html
    M Source/WebCore/platform/mediastream/MediaConstraints.cpp
    M Source/WebCore/platform/mediastream/MediaConstraints.h
    M Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp

  Log Message:
  -----------
  WTFCrashWithSecurityImplication in WebCore::RealtimeMediaSource::fitnessDistance
https://bugs.webkit.org/show_bug.cgi?id=268800
rdar://122105977

Reviewed by Youenn Fablet.

This is short-term suggested fix to add isValid check to MediaTrackConstraintSetMap to ensure each incomming contraint from IPC call has the right MediaConstraintType.

* LayoutTests/ipc/create-media-source-with-invalid-constraints-crash-expected.txt: Added.
* LayoutTests/ipc/create-media-source-with-invalid-constraints-crash.html: Added.
* Source/WebCore/platform/mediastream/MediaConstraints.cpp:
(WebCore::MediaTrackConstraintSetMap::isValid const):
* Source/WebCore/platform/mediastream/MediaConstraints.h:
* Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp:
(WebKit::UserMediaCaptureManagerProxy::createMediaSourceForCaptureDeviceWithConstraints):
(WebKit::UserMediaCaptureManagerProxy::applyConstraints):

Originally-landed-as: 272448.542 at safari-7618-branch (01389d47b6ec). rdar://128498600
Canonical link: https://commits.webkit.org/279157@main

Compare: https://github.com/WebKit/WebKit/compare/223c3b4280f0...b287b6cc9662

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications