Changeset 51128 in webkit for trunk/JavaScriptCore

Timestamp:

Nov 18, 2009, 12:46:10 PM (16 years ago)

Author:

[email protected]

Message:

Interpreter may do an out of range access when throwing an exception in the profiler.
​https://bugs.webkit.org/show_bug.cgi?id=31635

Reviewed by Alexey Proskuryakov.

Add bounds check.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• interpreter/Interpreter.cpp (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2009-11-18  Oliver Hunt  <[email protected]>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Interpreter may do an out of range access when throwing an exception in the profiler.
+        https://bugs.webkit.org/show_bug.cgi?id=31635
+
+        Add bounds check.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::throwException):
+
 2009-11-18  Gabor Loki  <[email protected]>
 

trunk/JavaScriptCore/interpreter/Interpreter.cpp

@@ -538 +538 @@
         if (isCallBytecode(codeBlock->instructions()[bytecodeOffset].u.opcode))
             profiler->didExecute(callFrame, callFrame->r(codeBlock->instructions()[bytecodeOffset + 2].u.operand).jsValue());
-        else if (codeBlock->instructions()[bytecodeOffset + 8].u.opcode == getOpcode(op_construct))
+        else if (codeBlock->instructions().size() > (bytecodeOffset + 8) && codeBlock->instructions()[bytecodeOffset + 8].u.opcode == getOpcode(op_construct))
             profiler->didExecute(callFrame, callFrame->r(codeBlock->instructions()[bytecodeOffset + 10].u.operand).jsValue());
 #else