| Index: Source/WebCore/rendering/RenderArena.cpp
|
| ===================================================================
|
| --- Source/WebCore/rendering/RenderArena.cpp (revision 144105)
|
| +++ Source/WebCore/rendering/RenderArena.cpp (working copy)
|
| @@ -36,9 +36,11 @@
|
| #include "config.h"
|
| #include "RenderArena.h"
|
|
|
| +#include <limits>
|
| #include <stdlib.h>
|
| #include <string.h>
|
| #include <wtf/Assertions.h>
|
| +#include <wtf/CryptographicallyRandomNumber.h>
|
|
|
| #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
|
|
|
| @@ -89,10 +91,8 @@
|
| // should immediately crash on the first invalid vtable access for a stale
|
| // RenderObject pointer.
|
| // See http://download.crowdstrike.com/papers/hes-exploiting-a-coalmine.pdf.
|
| -
|
| - // The bottom bits are predictable because the binary is loaded on a
|
| - // boundary. This just shifts most of those predictable bits out.
|
| - m_mask = ~(reinterpret_cast<uintptr_t>(WTF::fastMalloc) >> 13);
|
| + WTF::cryptographicallyRandomValues(&m_mask, sizeof(m_mask));
|
| + m_mask |= (static_cast<uintptr_t>(3) << (std::numeric_limits<uintptr_t>::digits - 2)) | 1;
|
| }
|
|
|
| RenderArena::~RenderArena()
|
|
|
Chromium Code Reviews
Issue 12334103:
Merge 143811 (Closed)
Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/1364/