[webkit-dev] RenderArena: Teaching an old dog new tricks

Adam Barth abarth at webkit.org
Wed Nov 14 21:59:22 PST 2012


On Nov 14, 2012 8:59 PM, "Ryosuke Niwa" <rniwa at webkit.org> wrote:
>
> On Wed, Nov 14, 2012 at 8:52 PM, Elliott Sprehn <esprehn at chromium.org>
wrote:
>>
>> I was present for one of the discussions about the exploit and how an
arena like allocator could have helped at Google. One proposed solution was
to allocate all the JS typed buffers in an arena.
>>
>> Is there a reason we can't just do that? It's much less intrusive to
allocate ArrayBuffer in an arena than to allocate all DOM objects in one.
>
>
> I don’t think allocating all JS objects in an arena is good enough
because attackers can inject nearly arbitrary sequence of bytes into DOM
objects (e.g. text node).

The text for a text node is stored in a String, not in the Node object
itself.

Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20121114/4b1a4623/attachment.html>


More information about the webkit-dev mailing list