[7] WTF Vector growImpl Release Assert Hardening
Severity: Medium | Component: WTF Vector | 3b05441
Rated Medium because the observable effect in release builds is silent invariant violation (size regression in a foundational container) that could lead to OOB access or stale-data exposure, but there is no commit-backed evidence of a specific caller that actually triggers the regression — the upgrade is a hardening measure, not a targeted bug fix.
Patch Details
Upgrades a debug-only assertion in Vector::growImpl from ASSERT_WITH_SECURITY_IMPLICATION to RELEASE_ASSERT_WITH_SECURITY_IMPLICATION. The assertion checks that the requested new size parameter is ≥ the current m_size.
Source/WTF/wtf/Vector.h
template<FailureAction failureAction>
bool Vector<T, inlineCapacity, OverflowHandler, minCapacity, Malloc>::growImpl(size_t size)
{
- ASSERT_WITH_SECURITY_IMPLICATION(size >= m_size);
+ RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(size >= m_size);
if (size > capacity()) {
bool success = expandCapacity<failureAction>(size);
if constexpr (failureAction == FailureAction::Report) {
Security-critical invariant enforced only in debug builds, leaving release builds unprotected against caller-supplied size regression in a foundational container.
Background
WTF::Vector is WebKit's primary dynamic array, used throughout all WebKit processes. growImpl is the internal method backing grow() operations — it adjusts the vector's logical size and expands capacity if needed. ASSERT_WITH_SECURITY_IMPLICATION is a debug-only assertion compiled out in release builds. RELEASE_ASSERT_WITH_SECURITY_IMPLICATION is its release-build counterpart that triggers a controlled process termination in all configurations.
Analysis
In release builds, the size >= m_size invariant was not enforced. If any caller of grow() passed a size smaller than the vector's current m_size, the vector's logical size would shrink without destructing elements between the new and old sizes, and subsequent operations would operate on a vector whose m_size was decreased but whose backing store still contained stale objects. Depending on element type and usage, this could expose stale data, corrupt vector bookkeeping, or cause out-of-bounds access when later code assumes monotonic growth.
Aaaaaaaaaaaaa Aa Aaa Aaaa Aaaaaa Aaaa Aaaaaaaaa Aa Aaaaaaa Aaa Aaaa Aaaa Aaaa Aaaaa Aaaa Aaaaaaaa Aaaa a Aaaaa Aaaaaaa Aaaa Aaa Aaaaaaa Aaaa Aaaaa Aaaaaaaa Aaaaaaa Aaaaaa Aaaaa Aa Aaaaaaa Aaaaaaa Aa Aaaaaaaa Aaa Aaaaa Aaaaaaaaa Aaa Aaaa Aaaaaaaa Aa Aaaaaaaa a Aaa Aaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaa Aaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaaaaa Aa Aaaaaa Aaaa Aaaaaaa a Aaaaa Aaaaaaaaaaa Aaaaaa Aaa Aaaaaa Aa Aaaaaaaaaa Aaaaaaaaa Aaa Aaa Aaaaaaaa Aaa Aaaaaaaaa Aa a Aaaa Aaaaa Aaaaaaa Aa Aaa Aaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaa Aaaaaa Aaaaaa Aaaaaa Aaa Aaaaaa Aaaaaaaaaa Aaa Aaa Aa a Aaaaaaaaaaaaaaaa Aaaaaaa Aaaa Aaaaaaaa a Aaaaaa Aaaaaaaaa Aaaaaaaaa Aaaa a Aaaaaaaaaa Aaaaaa
Aaaa Aaaaaa Aaaaaaaaaaa a Aaaaaaaaa Aaaaaa Aaaaaaaaa Aaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaa Aaaaaaaaa Aaaaa Aaaa Aaaaaaaa Aaaaaaaaaaaaa Aaaaa Aaaaaaaaaa Aaaaaaa Aaaa Aaaaaaaaaa Aa Aaa Aaaaa a Aaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaa Aaaa Aa Aaaaa Aaaaaaaaaaa Aaa Aaa Aaaa Aaaaaaaa Aaaa Aaaaaaa Aaaaaaaa Aaaaaaaaaaa Aa Aaaaaaaaaaa
🔒Explores the concrete memory corruption scenarios that could arise if the now-enforced invariant were violated in a release build
Subscribe to read more
Audit directions
a Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aa Aaaaaaaaaa Aaaaaaaaaa Aa Aaaaaaaaaaaa Aaaaaaaaaaaaa Aaaa Aaa Aaaaaaa Aaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaa Aaaaaaa Aaaa Aaaaaaa Aaaaaaaaa Aaaaaa Aa a Aaaaaaaaaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaa Aaaaa Aaaaaaa Aaaaaa Aa Aaaaaaa Aaaaaaaaa
a Aaaaaaaaa Aa Aaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaaaa Aaa Aaaa Aaaaaaaa Aaaaa Aaaaaaa Aaaaa Aaaaaaa Aaaa Aaa Aa Aaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaa Aaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaa Aaaaaa Aaaaaaaaa Aaaaaaa
🔒Systematic audit directions for similar debug-only assertion gaps across WebKit's foundational containers
Subscribe to read more