[webkit-dev] RenderArena: Teaching an old dog new tricks
Elliott Sprehn
esprehn at chromium.org
Wed Nov 14 22:36:09 PST 2012
On Thu, Nov 15, 2012 at 1:29 AM, Ryosuke Niwa <rniwa at webkit.org> wrote:
> ...
> In other words, why are you interested in using the proposed allocation
> mechanism for only DOM nodes/objects instead of everything in
> WebCore/WebKit?
>
>
This was my concern as well. It would seem you'd need many different
arenas, and that would only make it really annoying to get use after frees
since they have to be in the same arena, not impossible.
The major danger is really ArrayBuffer (and I suppose String) which lets
you allocate an object of a specific size and aligned the same as the freed
object. You can then create thousands of them until you get one on top of
the freed location and fill in the buffer with the malicious vtable and ptr.
How hard would it be to allocate the void* buffer and the String UChar*
with an arena?
- E
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20121115/86ea4023/attachment.html>
More information about the webkit-dev
mailing list