Add support for ASSERT_WITH_SECURITY_IMPLICATION.
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 24 Jan 2013 02:55:32 +0000 (02:55 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 24 Jan 2013 02:55:32 +0000 (02:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=107699

Reviewed by Eric Seidel.

Source/WebCore:

* dom/ContainerNode.cpp:
(WebCore::ContainerNode::parserInsertBefore): Use ASSERT_WITH_SECURITY_IMPLICATION
for document confusion ASSERT(document() == newChild->document())
(WebCore::ContainerNode::parserAppendChild): same.

Source/WTF:

* wtf/Assertions.h: Add ASSERT_WITH_SECURITY_IMPLICATION to
indicate possible security vulnerabily and enable it by default
in fuzzing builds.
* wtf/Vector.h: Use ASSERT_WITH_SECURITY_IMPLICATION for
bounds check on [] operator.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@140633 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WTF/ChangeLog
Source/WTF/wtf/Assertions.h
Source/WTF/wtf/Vector.h
Source/WebCore/ChangeLog
Source/WebCore/dom/ContainerNode.cpp

index 8f56877..b964f0d 100644 (file)
@@ -1,3 +1,16 @@
+2013-01-23  Abhishek Arya  <inferno@chromium.org>
+
+        Add support for ASSERT_WITH_SECURITY_IMPLICATION.
+        https://bugs.webkit.org/show_bug.cgi?id=107699
+
+        Reviewed by Eric Seidel.
+
+        * wtf/Assertions.h: Add ASSERT_WITH_SECURITY_IMPLICATION to
+        indicate possible security vulnerabily and enable it by default
+        in fuzzing builds.
+        * wtf/Vector.h: Use ASSERT_WITH_SECURITY_IMPLICATION for
+        bounds check on [] operator.
+
 2013-01-23  Tony Chang  <tony@chromium.org>
 
         Unreviewed, set svn:eol-style to CRLF on Windows .sln files.
index 0305a22..0d6cc36 100644 (file)
@@ -266,6 +266,28 @@ inline void assertUnused(T& x) { (void)x; }
 
 #endif
 
+/* ASSERT_WITH_SECURITY_IMPLICATION
+   
+   Failure of this assertion indicates a possible security vulnerability.
+   Class of vulnerabilities that it tests include bad casts, out of bounds
+   accesses, use-after-frees, etc. Please file a bug using the security
+   template - https://bugs.webkit.org/enter_bug.cgi?product=Security.
+
+*/
+#ifdef ADDRESS_SANITIZER
+
+#define ASSERT_WITH_SECURITY_IMPLICATION(assertion) \
+    (!(assertion) ? \
+        (WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, #assertion), \
+         CRASH()) : \
+        (void)0)
+
+#else
+
+#define ASSERT_WITH_SECURITY_IMPLICATION(assertion) ASSERT(assertion)
+
+#endif
+
 /* ASSERT_WITH_MESSAGE */
 
 #if COMPILER(MSVC7_OR_LOWER)
index d2dedef..64b7f5d 100644 (file)
@@ -547,12 +547,12 @@ namespace WTF {
 
         T& at(size_t i) 
         { 
-            ASSERT(i < size());
+            ASSERT_WITH_SECURITY_IMPLICATION(i < size());
             return m_buffer.buffer()[i]; 
         }
         const T& at(size_t i) const 
         {
-            ASSERT(i < size());
+            ASSERT_WITH_SECURITY_IMPLICATION(i < size());
             return m_buffer.buffer()[i]; 
         }
 
index b6fe5e3..597c7c4 100644 (file)
@@ -1,3 +1,15 @@
+2013-01-23  Abhishek Arya  <inferno@chromium.org>
+
+        Add support for ASSERT_WITH_SECURITY_IMPLICATION.
+        https://bugs.webkit.org/show_bug.cgi?id=107699
+
+        Reviewed by Eric Seidel.
+
+        * dom/ContainerNode.cpp:
+        (WebCore::ContainerNode::parserInsertBefore): Use ASSERT_WITH_SECURITY_IMPLICATION
+        for document confusion ASSERT(document() == newChild->document())
+        (WebCore::ContainerNode::parserAppendChild): same.
+
 2013-01-23  Ian Vollick  <vollick@chromium.org>
 
         Unreviewed build fix.
index ef921eb..a792962 100644 (file)
@@ -323,8 +323,8 @@ void ContainerNode::parserInsertBefore(PassRefPtr<Node> newChild, Node* nextChil
     ASSERT(newChild);
     ASSERT(nextChild);
     ASSERT(nextChild->parentNode() == this);
-    ASSERT(document() == newChild->document());
     ASSERT(!newChild->isDocumentFragment());
+    ASSERT_WITH_SECURITY_IMPLICATION(document() == newChild->document());
 
     if (nextChild->previousSibling() == newChild || nextChild == newChild) // nothing to do
         return;
@@ -696,7 +696,7 @@ void ContainerNode::parserAppendChild(PassRefPtr<Node> newChild)
     ASSERT(newChild);
     ASSERT(!newChild->parentNode()); // Use appendChild if you need to handle reparenting (and want DOM mutation events).
     ASSERT(!newChild->isDocumentFragment());
-    ASSERT(document() == newChild->document());
+    ASSERT_WITH_SECURITY_IMPLICATION(document() == newChild->document());
 
     Node* last = m_lastChild;
     {