2010-10-13 Yong Li <yoli@rim.com>
Reviewed by Oliver Hunt.
Fix potential misaligned memory access in CloneDeserializer::readLittleEndian and readString
that can result crash on ARM (<v6).
https://bugs.webkit.org/show_bug.cgi?id=47594
No new test added, because the crash can be produced by existing tests like:
LayoutTests/fast/events/message-channel-gc-4.html
* bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::readLittleEndian):
(WebCore::CloneDeserializer::readString):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69682 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/bindings/js/SerializedScriptValue.cpp b/WebCore/bindings/js/SerializedScriptValue.cpp
index 8ccaf9c..1711687 100644
--- a/WebCore/bindings/js/SerializedScriptValue.cpp
+++ b/WebCore/bindings/js/SerializedScriptValue.cpp
@@ -819,7 +819,12 @@
if (sizeof(T) == 1)
value = *ptr++;
else {
- value = *reinterpret_cast_ptr<const T*>(ptr);
+#if CPU(ARMV5_OR_LOWER)
+ // To protect misaligned memory access.
+ memcpy(&value, ptr, sizeof(T));
+#else
+ value = *reinterpret_cast<const T*>(ptr);
+#endif
ptr += sizeof(T);
}
return true;
@@ -907,7 +912,14 @@
return false;
#if ASSUME_LITTLE_ENDIAN
- str = UString(reinterpret_cast_ptr<const UChar*>(ptr), length);
+#if CPU(ARMV5_OR_LOWER)
+ // To protect misaligned memory access.
+ Vector<UChar> alignedBuffer(length);
+ memcpy(alignedBuffer.data(), ptr, length * sizeof(UChar));
+ str = UString::adopt(alignedBuffer);
+#else
+ str = UString(reinterpret_cast<const UChar*>(ptr), length);
+#endif
ptr += length * sizeof(UChar);
#else
Vector<UChar> buffer;
