[webkit-changes] [WebKit/WebKit] 9cee5d: Update incorrect bounds check in arrayInitData tha...
Commit Queue
noreply at github.com
Fri Jan 31 21:53:52 PST 2025
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9cee5daeabd138d039806770b90907a6fff97cc3
https://github.com/WebKit/WebKit/commit/9cee5daeabd138d039806770b90907a6fff97cc3
Author: Daniel Liu <daniel_liu4 at apple.com>
Date: 2025-01-31 (Fri, 31 Jan 2025)
Changed paths:
A JSTests/wasm/stress/array-init-data-bounds.js
M Source/JavaScriptCore/wasm/WasmOperationsInlines.h
Log Message:
-----------
Update incorrect bounds check in arrayInitData that could lead to overflow
https://bugs.webkit.org/show_bug.cgi?id=284332
rdar://140773517
Reviewed by Yusuke Suzuki.
arrayInitData's operation currently checks that the source index plus the size
has not overflowed. However, size is the number of array elements, meaning that
size * elementSize could potentially overflow later on.
* Source/JavaScriptCore/wasm/WasmOperationsInlines.h:
(JSC::Wasm::arrayInitData):
Originally-landed-as: 283286.574 at safari-7620-branch (8fbbb5e792fb). rdar://143593161
Canonical link: https://commits.webkit.org/289656@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list