194800 – (CVE-2019-8559) Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.

Bug 194800 - (CVE-2019-8559) Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.

Summary: (CVE-2019-8559) Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-02-18 16:53 PST by Mark Lam
Modified:	2019-04-04 09:30 PDT (History)
CC List:	12 users (show)

See Also:

Attachments
proposed patch. (3.67 KB, patch) 2019-02-18 17:02 PST, Mark Lam	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2019-02-18 16:53:22 PST

Fix doesGC() for the CompareEq, CompareLess, CompareLessEq, CompareGreater, CompareGreaterEq, and CompareStrictEq.

Comment 1 Radar WebKit Bug Importer 2019-02-18 16:53:56 PST

<rdar://problem/48183773>

Comment 2 Mark Lam 2019-02-18 17:02:03 PST

Created attachment 362357 [details]
proposed patch.

Comment 3 EWS Watchlist 2019-02-18 17:05:37 PST

Attachment 362357 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGDoesGC.cpp:410:  Multi line control clauses should use braces.  [whitespace/braces] [4]
Total errors found: 1 in 2 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 4 Yusuke Suzuki 2019-02-18 17:14:57 PST

Comment on attachment 362357 [details]
proposed patch.

r=me

Comment 5 Mark Lam 2019-02-18 18:06:04 PST

Comment on attachment 362357 [details]
proposed patch.

Thanks for the review.  Landing now.

Comment 6 WebKit Commit Bot 2019-02-18 18:32:15 PST

Comment on attachment 362357 [details]
proposed patch.

Clearing flags on attachment: 362357

Committed r241753: <https://trac.webkit.org/changeset/241753>

Comment 7 WebKit Commit Bot 2019-02-18 18:32:17 PST

All reviewed patches have been landed.  Closing bug.

Comment 8 Marc Bejarano 2019-02-22 07:18:38 PST

Looks like somebody should request a CVE and up the importance of this bug.

https://twitter.com/qwertyoruiopz/status/1098642526041444354

https://ghostbin.com/paste/c4dhv