Prevent unsafe access to internal types

author Carlos Garcia Campos <carlosgc@webkit.org>

Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)

committer Alberto Garcia <berto@igalia.com>

Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
author Carlos Garcia Campos <carlosgc@webkit.org>
Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
committer Alberto Garcia <berto@igalia.com>
Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
diff --git a/Source/JavaScriptCore/runtime/MapData.h b/Source/JavaScriptCore/runtime/MapData.h

index 615a3f438116de2c645f68eff8c54d3aa723a29b..c0504a67599d262241d789636d017f56d854ee34 100644 (file)
--- a/Source/JavaScriptCore/runtime/MapData.h
+++ b/Source/JavaScriptCore/runtime/MapData.h
@@ -42,8 +42,8 @@ public:
          const_iterator(const MapData*);
          ~const_iterator();
          const WTF::KeyValuePair<JSValue, JSValue> operator*() const;
-        JSValue key() const { ASSERT(!atEnd()); return m_mapData->m_entries[m_index].key.get(); }
-        JSValue value() const { ASSERT(!atEnd()); return m_mapData->m_entries[m_index].value.get(); }
+        JSValue key() const { RELEASE_ASSERT(!atEnd()); return m_mapData->m_entries[m_index].key.get(); }
+        JSValue value() const { RELEASE_ASSERT(!atEnd()); return m_mapData->m_entries[m_index].value.get(); }
          void operator++() { ASSERT(!atEnd()); internalIncrement(); }
          static const_iterator end(const MapData*);
          bool operator!=(const const_iterator& other);
diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp

index 28f22dab0df1be0aa7b5e2f16a44d13d6d776bf9..50221e77d59abec84e2e84affe778b09f54fe1de 100644 (file)
--- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp
+++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
@@ -1218,6 +1218,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in)
      Vector<JSObject*, 32> inputObjectStack;
      Vector<MapData*, 4> mapDataStack;
      Vector<MapData::const_iterator, 4> iteratorStack;
+    Vector<JSValue, 4> iteratorValueStack;
      Vector<WalkerState, 16> stateStack;
      WalkerState state = StateUnknown;
      JSValue inValue = in;
@@ -1386,16 +1387,20 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in)
                      goto objectStartVisitMember;
                  }
                  inValue = ptr.key();
+                m_gcBuffer.append(ptr.value());
+                iteratorValueStack.append(ptr.value());
                  stateStack.append(MapDataEndVisitKey);
                  goto stateUnknown;
              }
              case MapDataEndVisitKey: {
-                inValue = iteratorStack.last().value();
+                inValue = iteratorValueStack.last();
+                iteratorValueStack.removeLast();
                  stateStack.append(MapDataEndVisitValue);
                  goto stateUnknown;
              }
              case MapDataEndVisitValue: {
-                ++iteratorStack.last();
+                if (iteratorStack.last() != mapDataStack.last()->end())
+                    ++iteratorStack.last();
                  goto mapDataStartVisitEntry;
              }
author	Carlos Garcia Campos <carlosgc@webkit.org>
	Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
committer	Alberto Garcia <berto@igalia.com>
	Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
Source/JavaScriptCore/runtime/MapData.h		patch \| blob \| history
Source/WebCore/bindings/js/SerializedScriptValue.cpp		patch \| blob \| history