Title: [246648] branches/safari-607-branch/Source/WebKit
- Revision
- 246648
- Author
- kocsen_ch...@apple.com
- Date
- 2019-06-20 13:06:49 -0700 (Thu, 20 Jun 2019)
Log Message
Cherry-pick r245911. rdar://problem/51656609
Network process crash when decoding SecItemResponseData
https://bugs.webkit.org/show_bug.cgi?id=198388
<rdar://problem/50408046>
Reviewed by Alex Christensen.
* Shared/cf/ArgumentCodersCF.cpp:
(IPC::decode):
When decoding the elements inside a CFArrayRef, if decoding was successful but
the CFTypeRef element is still null then skip it instead of trying to append it
to the array. A CFArray container is not allowed to contain null.
Some of our decoders for CFTypeRef types may not initialize the element even if
the decode() function returns true. For example, the decoders for CFArrayRef and
CFDictionaryRef return true if the encoded container was null but do not create
a container.
* Shared/mac/SecItemResponseData.cpp:
(WebKit::SecItemResponseData::SecItemResponseData):
nit: The wrong parameter was being moved. This is more efficient.
(WebKit::SecItemResponseData::encode const):
nit: Drop unnecessary .get().
* UIProcess/mac/SecItemShimProxy.cpp:
(WebKit::SecItemShimProxy::secItemRequest):
nit: Use nullptr instead of 0.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245911 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-607-branch/Source/WebKit/ChangeLog (246647 => 246648)
--- branches/safari-607-branch/Source/WebKit/ChangeLog 2019-06-20 20:03:58 UTC (rev 246647)
+++ branches/safari-607-branch/Source/WebKit/ChangeLog 2019-06-20 20:06:49 UTC (rev 246648)
@@ -1,3 +1,65 @@
+2019-06-19 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r245911. rdar://problem/51656609
+
+ Network process crash when decoding SecItemResponseData
+ https://bugs.webkit.org/show_bug.cgi?id=198388
+ <rdar://problem/50408046>
+
+ Reviewed by Alex Christensen.
+
+ * Shared/cf/ArgumentCodersCF.cpp:
+ (IPC::decode):
+ When decoding the elements inside a CFArrayRef, if decoding was successful but
+ the CFTypeRef element is still null then skip it instead of trying to append it
+ to the array. A CFArray container is not allowed to contain null.
+ Some of our decoders for CFTypeRef types may not initialize the element even if
+ the decode() function returns true. For example, the decoders for CFArrayRef and
+ CFDictionaryRef return true if the encoded container was null but do not create
+ a container.
+
+ * Shared/mac/SecItemResponseData.cpp:
+ (WebKit::SecItemResponseData::SecItemResponseData):
+ nit: The wrong parameter was being moved. This is more efficient.
+
+ (WebKit::SecItemResponseData::encode const):
+ nit: Drop unnecessary .get().
+
+ * UIProcess/mac/SecItemShimProxy.cpp:
+ (WebKit::SecItemShimProxy::secItemRequest):
+ nit: Use nullptr instead of 0.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245911 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-05-30 Chris Dumez <cdu...@apple.com>
+
+ Network process crash when decoding SecItemResponseData
+ https://bugs.webkit.org/show_bug.cgi?id=198388
+ <rdar://problem/50408046>
+
+ Reviewed by Alex Christensen.
+
+ * Shared/cf/ArgumentCodersCF.cpp:
+ (IPC::decode):
+ When decoding the elements inside a CFArrayRef, if decoding was successful but
+ the CFTypeRef element is still null then skip it instead of trying to append it
+ to the array. A CFArray container is not allowed to contain null.
+ Some of our decoders for CFTypeRef types may not initialize the element even if
+ the decode() function returns true. For example, the decoders for CFArrayRef and
+ CFDictionaryRef return true if the encoded container was null but do not create
+ a container.
+
+ * Shared/mac/SecItemResponseData.cpp:
+ (WebKit::SecItemResponseData::SecItemResponseData):
+ nit: The wrong parameter was being moved. This is more efficient.
+
+ (WebKit::SecItemResponseData::encode const):
+ nit: Drop unnecessary .get().
+
+ * UIProcess/mac/SecItemShimProxy.cpp:
+ (WebKit::SecItemShimProxy::secItemRequest):
+ nit: Use nullptr instead of 0.
+
2019-06-12 Null <n...@apple.com>
Cherry-pick r245298. rdar://problem/51656613
Modified: branches/safari-607-branch/Source/WebKit/Shared/cf/ArgumentCodersCF.cpp (246647 => 246648)
--- branches/safari-607-branch/Source/WebKit/Shared/cf/ArgumentCodersCF.cpp 2019-06-20 20:03:58 UTC (rev 246647)
+++ branches/safari-607-branch/Source/WebKit/Shared/cf/ArgumentCodersCF.cpp 2019-06-20 20:06:49 UTC (rev 246648)
@@ -346,7 +346,7 @@
if (!decoder.decode(size))
return false;
- RetainPtr<CFMutableArrayRef> array = adoptCF(CFArrayCreateMutable(0, 0, &kCFTypeArrayCallBacks));
+ auto array = adoptCF(CFArrayCreateMutable(0, 0, &kCFTypeArrayCallBacks));
for (size_t i = 0; i < size; ++i) {
RetainPtr<CFTypeRef> element;
@@ -353,6 +353,9 @@
if (!decode(decoder, element))
return false;
+ if (!element)
+ continue;
+
CFArrayAppendValue(array.get(), element.get());
}
Modified: branches/safari-607-branch/Source/WebKit/Shared/mac/SecItemResponseData.cpp (246647 => 246648)
--- branches/safari-607-branch/Source/WebKit/Shared/mac/SecItemResponseData.cpp 2019-06-20 20:03:58 UTC (rev 246647)
+++ branches/safari-607-branch/Source/WebKit/Shared/mac/SecItemResponseData.cpp 2019-06-20 20:06:49 UTC (rev 246648)
@@ -44,7 +44,7 @@
void SecItemResponseData::encode(IPC::Encoder& encoder) const
{
encoder << static_cast<int64_t>(m_resultCode);
- encoder << static_cast<bool>(m_resultObject.get());
+ encoder << static_cast<bool>(m_resultObject);
if (m_resultObject)
IPC::encode(encoder, m_resultObject.get());
}
Modified: branches/safari-607-branch/Source/WebKit/UIProcess/mac/SecItemShimProxy.cpp (246647 => 246648)
--- branches/safari-607-branch/Source/WebKit/UIProcess/mac/SecItemShimProxy.cpp 2019-06-20 20:03:58 UTC (rev 246647)
+++ branches/safari-607-branch/Source/WebKit/UIProcess/mac/SecItemShimProxy.cpp 2019-06-20 20:06:49 UTC (rev 246648)
@@ -65,13 +65,13 @@
switch (request.type()) {
case SecItemRequestData::Invalid:
LOG_ERROR("SecItemShimProxy::secItemRequest received an invalid data request. Please file a bug if you know how you caused this.");
- response = SecItemResponseData(errSecParam, nullptr);
+ response = SecItemResponseData { errSecParam, nullptr };
break;
case SecItemRequestData::CopyMatching: {
- CFTypeRef resultObject = 0;
+ CFTypeRef resultObject = nullptr;
OSStatus resultCode = SecItemCopyMatching(request.query(), &resultObject);
- response = SecItemResponseData(resultCode, adoptCF(resultObject).get());
+ response = SecItemResponseData { resultCode, adoptCF(resultObject).get() };
break;
}
@@ -79,19 +79,19 @@
// Return value of SecItemAdd is often ignored. Even if it isn't, we don't have the ability to
// serialize SecKeychainItemRef.
OSStatus resultCode = SecItemAdd(request.query(), nullptr);
- response = SecItemResponseData(resultCode, nullptr);
+ response = SecItemResponseData { resultCode, nullptr };
break;
}
case SecItemRequestData::Update: {
OSStatus resultCode = SecItemUpdate(request.query(), request.attributesToMatch());
- response = SecItemResponseData(resultCode, 0);
+ response = SecItemResponseData { resultCode, nullptr };
break;
}
case SecItemRequestData::Delete: {
OSStatus resultCode = SecItemDelete(request.query());
- response = SecItemResponseData(resultCode, 0);
+ response = SecItemResponseData { resultCode, nullptr };
break;
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes