[webkit-changes] [WebKit/WebKit] c70297: [JSC] heap-buffer-overflow on WebKit/Source/JavaSc...
Yusuke Suzuki
noreply at github.com
Tue Jan 7 20:07:02 PST 2025
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c702978087bc0c1a34407bbeeeccc6cf1add3b76
https://github.com/WebKit/WebKit/commit/c702978087bc0c1a34407bbeeeccc6cf1add3b76
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2025-01-07 (Tue, 07 Jan 2025)
Changed paths:
A JSTests/stress/array-fast-fill-beyond-length.js
M Source/JavaScriptCore/runtime/JSArray.cpp
Log Message:
-----------
[JSC] heap-buffer-overflow on WebKit/Source/JavaScriptCore/runtime/WriteBarrier.h:166:17
https://bugs.webkit.org/show_bug.cgi?id=285393
rdar://142369820
Reviewed by Mark Lam.
Obtaining length from Array can involve some user code, which can change
the array's length actually. The fast path should check the actual
length before filling.
* JSTests/stress/array-fast-fill-beyond-length.js: Added.
(f11):
* Source/JavaScriptCore/runtime/JSArray.cpp:
(JSC::JSArray::fastFill):
Canonical link: https://commits.webkit.org/288578@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list