| Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | Backport patch to fix CVE-2017-17821. Refer to |
| 2 | https://security-tracker.debian.org/tracker/CVE-2017-17821. |
| 3 | |
| 4 | Upstream-Status: Backport [https://trac.webkit.org/changeset/232119/webkit] |
| 5 | CVE: CVE-2017-17821 |
| 6 | |
| 7 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| 8 | |
| 9 | From 2a17b15297eb886b0bfb7d098ef607cfad6c3da0 Mon Sep 17 00:00:00 2001 |
| 10 | From: "mcatanzaro@igalia.com" |
| 11 | <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> |
| 12 | Date: Wed, 23 May 2018 17:54:01 +0000 |
| 13 | Subject: [PATCH] Prohibit shrinking the FastBitVector |
| 14 | https://bugs.webkit.org/show_bug.cgi?id=181020 |
| 15 | |
| 16 | Reviewed by Oliver Hunt. |
| 17 | |
| 18 | Prohibit shrinking the FastBitVector. It's not prepared for this and the current usage does |
| 19 | not require it. |
| 20 | |
| 21 | * wtf/FastBitVector.cpp: |
| 22 | (WTF::FastBitVectorWordOwner::resizeSlow): |
| 23 | |
| 24 | git-svn-id: http://svn.webkit.org/repository/webkit/trunk@232119 268f45cc-cd09-0410-ab3c-d52691b4dbfc |
| 25 | --- |
| 26 | Source/WTF/wtf/FastBitVector.cpp | 2 ++ |
| 27 | 2 files changed, 15 insertions(+) |
| 28 | |
| 29 | diff --git a/Source/WTF/wtf/FastBitVector.cpp b/Source/WTF/wtf/FastBitVector.cpp |
| 30 | index eed316975f4..8b019aaa3ed 100644 |
| 31 | --- a/Source/WTF/wtf/FastBitVector.cpp |
| 32 | +++ b/Source/WTF/wtf/FastBitVector.cpp |
| 33 | @@ -42,6 +42,8 @@ void FastBitVectorWordOwner::setEqualsSlow(const FastBitVectorWordOwner& other) |
| 34 | void FastBitVectorWordOwner::resizeSlow(size_t numBits) |
| 35 | { |
| 36 | size_t newLength = fastBitVectorArrayLength(numBits); |
| 37 | + |
| 38 | + RELEASE_ASSERT(newLength >= arrayLength()); |
| 39 | |
| 40 | // Use fastCalloc instead of fastRealloc because we expect the common |
| 41 | // use case for this method to be initializing the size of the bitvector. |
| 42 | -- |
| 43 | 2.17.0 |
| 44 | |