[webkit-dev] RenderArena: Teaching an old dog new tricks

Ryosuke Niwa rniwa at webkit.org
Wed Nov 14 20:59:16 PST 2012


On Wed, Nov 14, 2012 at 8:52 PM, Elliott Sprehn <esprehn at chromium.org>wrote:

> I was present for one of the discussions about the exploit and how an
> arena like allocator could have helped at Google. One proposed solution was
> to allocate all the JS typed buffers in an arena.
>
> Is there a reason we can't just do that? It's much less intrusive to
> allocate ArrayBuffer in an arena than to allocate all DOM objects in one.
>

I don’t think allocating all JS objects in an arena is good enough because
attackers can inject nearly arbitrary sequence of bytes into DOM objects
(e.g. text node).

- R. Niwa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20121114/849c2343/attachment.html>


More information about the webkit-dev mailing list