[Webkit-unassigned] [Bug 100173] Re-order variables in BidiRun and LayoutState
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 29 09:07:01 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=100173
--- Comment #1 from Chris Evans <cevans at google.com> 2012-10-29 09:08:17 PST ---
Ok, with some variable re-ordering in a couple of the layout objects, it's possible to
1) Achieve some space savings.
2) Enhance security against use-after-free slightly.
The space savings are to be honest far more interesting. BidiRun goes from 32 bytes to 24 bytes on 64-bit (20 bytes to 16 bytes on 32-bit), and despite the name, BidiRun is used very copiously in text rendering in general (e.g. triggers liberally on western language pages.)
The use-after-free situation is subtle but worth documenting. Most object slots in the RenderArena now start with either a valid vtable pointer when allocated or a poisoned freelist pointer (high bit set) when freed. The exceptions are BidiRun and LayoutState. Pre-patch, the attacker gets some control of every byte of the first sizeof(void*) bytes, which is an unfortunately overlap with a vtable pointer. Post-patch, this is not the case.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list