[Webkit-unassigned] [Bug 216501] New: Segfault in WebCore::IDBKey::createBinary

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Sep 14 16:19:10 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=216501

            Bug ID: 216501
           Summary: Segfault in WebCore::IDBKey::createBinary
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com

The script below crashes due to code IDBKey::createBinary(JSC::JSArrayBufferView&) not handling the case where we can't get a buffer view due to running out of memory.

-- test.html --
<script>
const a = [];
a.length = 2**30
a.__proto__ = {};
Object.defineProperty(a, 0, { get: foo });
function foo() {
  new Uint8Array(a);
}

try {
  foo();
} catch {}

try {
  while(1) {
    new ArrayBuffer(2**20);
  }
} catch {}

let u8 = new Uint8Array();
IDBKeyRange.only(u8);
</script>

Steps To Reproduce:

DYLD_FRAMEWORK_PATH=<WEBKIT_PATH>/WebKitBuild/Debug <WEBKIT_PATH>/WebKitBuild/Debug/WebKitTestRunner test.html

Results:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000020
Exception Note:        EXC_CORPSE_NOTIFY


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x00000004a14631fa WebCore::IDBKey::createBinary(JSC::JSArrayBufferView&) + 42
1   com.apple.WebCore                   0x00000004a19abe62 WebCore::createIDBKeyFromValue(JSC::JSGlobalObject&, JSC::JSValue, WTF::Vector<JSC::JSArray*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 2178
2   com.apple.WebCore                   0x00000004a197ee62 WebCore::scriptValueToIDBKey(JSC::JSGlobalObject&, JSC::JSValue) + 34
3   com.apple.WebCore                   0x00000004a147098a WebCore::IDBKeyRange::only(JSC::JSGlobalObject&, JSC::JSValue) + 122
4   com.apple.WebCore                   0x00000004a097090f WebCore::jsIDBKeyRangeConstructorFunctionOnly(JSC::JSGlobalObject*, JSC::CallFrame*) + 287
5   ???                                 0x0000251383201178 0 + 40765734523256
6   com.apple.JavaScriptCore            0x00000004a9a451b1 llint_entry + 120103

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200914/b19152ea/attachment.htm>

More information about the webkit-unassigned mailing list