[webkit-changes] [WebKit/WebKit] 4d2933: [JSC] Harden CustomGetterSetter by adding MethodTa...
lericaa
noreply at github.com
Wed May 22 15:43:08 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4d29332a09b0f3b17eff2d44f464dd8dff77cad0
https://github.com/WebKit/WebKit/commit/4d29332a09b0f3b17eff2d44f464dd8dff77cad0
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2024-05-22 (Wed, 22 May 2024)
Changed paths:
M Source/JavaScriptCore/runtime/CustomGetterSetter.h
Log Message:
-----------
[JSC] Harden CustomGetterSetter by adding MethodTable overrides that always crash
https://bugs.webkit.org/show_bug.cgi?id=268897
<rdar://122171568>
Reviewed by Mark Lam.
Just like GetterSetter, CustomGetterSetter is never purposely exposed to userland code.
However, to make exploitation of accidentally exposed CustomGetterSetter objects difficult, this
patch implements MethodTable overrides that abort the program when reached, similar to GetterSetter.
* Source/JavaScriptCore/runtime/CustomGetterSetter.h:
(JSC::CustomGetterSetter::getOwnPropertySlot):
(JSC::CustomGetterSetter::put):
(JSC::CustomGetterSetter::putByIndex):
(JSC::CustomGetterSetter::setPrototype):
(JSC::CustomGetterSetter::defineOwnProperty):
(JSC::CustomGetterSetter::deleteProperty):
Originally-landed-as: 272448.523 at safari-7618-branch (66d8614c41ca). rdar://128498125
Canonical link: https://commits.webkit.org/279156@main
Commit: b287b6cc9662e88415c7958132ab001431b35f9f
https://github.com/WebKit/WebKit/commit/b287b6cc9662e88415c7958132ab001431b35f9f
Author: Erica Li <lerica at apple.com>
Date: 2024-05-22 (Wed, 22 May 2024)
Changed paths:
A LayoutTests/ipc/create-media-source-with-invalid-constraints-crash-expected.txt
A LayoutTests/ipc/create-media-source-with-invalid-constraints-crash.html
M Source/WebCore/platform/mediastream/MediaConstraints.cpp
M Source/WebCore/platform/mediastream/MediaConstraints.h
M Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp
Log Message:
-----------
WTFCrashWithSecurityImplication in WebCore::RealtimeMediaSource::fitnessDistance
https://bugs.webkit.org/show_bug.cgi?id=268800
rdar://122105977
Reviewed by Youenn Fablet.
This is short-term suggested fix to add isValid check to MediaTrackConstraintSetMap to ensure each incomming contraint from IPC call has the right MediaConstraintType.
* LayoutTests/ipc/create-media-source-with-invalid-constraints-crash-expected.txt: Added.
* LayoutTests/ipc/create-media-source-with-invalid-constraints-crash.html: Added.
* Source/WebCore/platform/mediastream/MediaConstraints.cpp:
(WebCore::MediaTrackConstraintSetMap::isValid const):
* Source/WebCore/platform/mediastream/MediaConstraints.h:
* Source/WebKit/UIProcess/Cocoa/UserMediaCaptureManagerProxy.cpp:
(WebKit::UserMediaCaptureManagerProxy::createMediaSourceForCaptureDeviceWithConstraints):
(WebKit::UserMediaCaptureManagerProxy::applyConstraints):
Originally-landed-as: 272448.542 at safari-7618-branch (01389d47b6ec). rdar://128498600
Canonical link: https://commits.webkit.org/279157@main
Compare: https://github.com/WebKit/WebKit/compare/223c3b4280f0...b287b6cc9662
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list