Security: Potential integer overflow in memory allocation expression in TerminatedArray |
|||||||
Issue description
From third_party/WebKit/Source/wtf/TerminatedArray.h:
static PassPtr create(size_t capacity) {
return wrapUnique(
static_cast<TerminatedArray*>(WTF::Partitions::fastMalloc(
capacity * sizeof(T), WTF_HEAP_PROFILER_TYPE_NAME(T))));
}
There should probably be a Partitions::fastCalloc or similar 2-argument function, and we should use it here.
,
Jun 23 2017
,
Jun 23 2017
,
Jun 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/66d7c69f7d8c8d63138066ad74a89524f3a4e250 commit 66d7c69f7d8c8d63138066ad74a89524f3a4e250 Author: palmer <palmer@chromium.org> Date: Mon Jun 26 20:56:24 2017 Check for integer overflow in allocations. BUG= 669751 Review-Url: https://codereview.chromium.org/2957583004 Cr-Commit-Position: refs/heads/master@{#482392} [modify] https://crrev.com/66d7c69f7d8c8d63138066ad74a89524f3a4e250/third_party/WebKit/Source/core/css/CSSSelectorList.cpp [modify] https://crrev.com/66d7c69f7d8c8d63138066ad74a89524f3a4e250/third_party/WebKit/Source/platform/heap/HeapTerminatedArray.h [modify] https://crrev.com/66d7c69f7d8c8d63138066ad74a89524f3a4e250/third_party/WebKit/Source/platform/wtf/TerminatedArray.h [modify] https://crrev.com/66d7c69f7d8c8d63138066ad74a89524f3a4e250/third_party/WebKit/Source/platform/wtf/allocator/Partitions.h
,
Jun 26 2017
Here's another one: https://codereview.chromium.org/2957933002 The long-term, more-complete fix is (IMO) to get rid of all allocator interfaces that take just a single size argument. (Both in PA and in WTF.)
,
Jun 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a62b55155c2812142c3e6d10a51dc5cd33d0fc7f commit a62b55155c2812142c3e6d10a51dc5cd33d0fc7f Author: palmer <palmer@chromium.org> Date: Tue Jun 27 17:51:39 2017 Fix another FastMalloc call site with potential integer overflow. BUG= 669751 Review-Url: https://codereview.chromium.org/2957933002 Cr-Commit-Position: refs/heads/master@{#482676} [modify] https://crrev.com/a62b55155c2812142c3e6d10a51dc5cd33d0fc7f/third_party/WebKit/Source/core/xml/XSLTProcessorLibxslt.cpp [modify] https://crrev.com/a62b55155c2812142c3e6d10a51dc5cd33d0fc7f/third_party/WebKit/Source/platform/wtf/allocator/Partitions.h
,
Jun 27 2017
,
Jun 28 2017
,
Oct 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by och...@chromium.org
, Nov 30 2016