Backport patch to fix CVE-2017-17821. Refer to https://security-tracker.debian.org/tracker/CVE-2017-17821. Upstream-Status: Backport [https://trac.webkit.org/changeset/232119/webkit] CVE: CVE-2017-17821 Signed-off-by: Kai Kang From 2a17b15297eb886b0bfb7d098ef607cfad6c3da0 Mon Sep 17 00:00:00 2001 From: "mcatanzaro@igalia.com" Date: Wed, 23 May 2018 17:54:01 +0000 Subject: [PATCH] Prohibit shrinking the FastBitVector https://bugs.webkit.org/show_bug.cgi?id=181020 Reviewed by Oliver Hunt. Prohibit shrinking the FastBitVector. It's not prepared for this and the current usage does not require it. * wtf/FastBitVector.cpp: (WTF::FastBitVectorWordOwner::resizeSlow): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@232119 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- Source/WTF/wtf/FastBitVector.cpp | 2 ++ 2 files changed, 15 insertions(+) diff --git a/Source/WTF/wtf/FastBitVector.cpp b/Source/WTF/wtf/FastBitVector.cpp index eed316975f4..8b019aaa3ed 100644 --- a/Source/WTF/wtf/FastBitVector.cpp +++ b/Source/WTF/wtf/FastBitVector.cpp @@ -42,6 +42,8 @@ void FastBitVectorWordOwner::setEqualsSlow(const FastBitVectorWordOwner& other) void FastBitVectorWordOwner::resizeSlow(size_t numBits) { size_t newLength = fastBitVectorArrayLength(numBits); + + RELEASE_ASSERT(newLength >= arrayLength()); // Use fastCalloc instead of fastRealloc because we expect the common // use case for this method to be initializing the size of the bitvector. -- 2.17.0