Cherry-pick 265870.553@safari-7616-branch (1393b61). https://bugs.web…

…kit.org/show_bug.cgi?id=261220 WTF::Vector cross-container overflow ASAN support https://bugs.webkit.org/show_bug.cgi?id=261220 rdar://113692853 Reviewed by David Kilzer. Added check in ASAN builds for container overflow * Source/WTF/wtf/Vector.h: (WTF::Malloc>::asanBufferSizeWillChangeTo): (WTF::Malloc>::uncheckedAppend): * Tools/TestWebKitAPI/Tests/WTF/Vector.cpp: (TestWebKitAPI::TEST): Canonical link: https://commits.webkit.org/265870.553@safari-7616-branch
WebKit · Oct 20, 2023 · aa2b734 · aa2b734
1 parent da56ace
commit aa2b734
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/Source/WTF/wtf/Vector.h b/Source/WTF/wtf/Vector.h
@@ -1272,6 +1272,8 @@ inline void Vector<T, inlineCapacity, OverflowHandler, minCapacity, Malloc>::asa
     if (!buffer())
         return;
 
+    RELEASE_ASSERT_WITH_MESSAGE(newSize <= capacity(), "Attempt to expand size (%lu) beyond current capacity (%lu)", newSize, capacity());
+
     // Change allowed range.
     __sanitizer_annotate_contiguous_container(buffer(), endOfBuffer(), buffer() + size(), buffer() + newSize);
 #else
@@ -1389,7 +1391,7 @@ ALWAYS_INLINE bool Vector<T, inlineCapacity, OverflowHandler, minCapacity, Mallo
     if (!dataSize)
         return true;
 
-    ASSERT(size() < capacity());
+    ASSERT_WITH_MESSAGE((Checked<size_t>(size()) + dataSize) <= capacity(), "uncheckedAppend() without expanding capacity");
 
     size_t newSize = m_size + dataSize;
     asanBufferSizeWillChangeTo(newSize);