Title: [259789] trunk/Source/WebKit
- Revision
- 259789
- Author
- ddkil...@apple.com
- Date
- 2020-04-09 04:01:58 -0700 (Thu, 09 Apr 2020)
Log Message
UserData::decode should add bounds checks
<https://webkit.org/b/210247>
<rdar://problem/61467748>
Reviewed by Alex Christensen.
* Shared/UserData.cpp:
(WebKit::UserData::decode):
- Add bounds checks using WTF::isInBounds<size_t>.
* Shared/UserData.h:
(WebKit::UserData::decode):
- Add WARN_UNUSED_RETURN.
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (259788 => 259789)
--- trunk/Source/WebKit/ChangeLog 2020-04-09 10:52:52 UTC (rev 259788)
+++ trunk/Source/WebKit/ChangeLog 2020-04-09 11:01:58 UTC (rev 259789)
@@ -1,5 +1,20 @@
2020-04-09 David Kilzer <ddkil...@apple.com>
+ UserData::decode should add bounds checks
+ <https://webkit.org/b/210247>
+ <rdar://problem/61467748>
+
+ Reviewed by Alex Christensen.
+
+ * Shared/UserData.cpp:
+ (WebKit::UserData::decode):
+ - Add bounds checks using WTF::isInBounds<size_t>.
+ * Shared/UserData.h:
+ (WebKit::UserData::decode):
+ - Add WARN_UNUSED_RETURN.
+
+2020-04-09 David Kilzer <ddkil...@apple.com>
+
Follow-up: WTF::Persistence::VectorCoder and IPC::VectorArgumentCoder should do bounds checking without crashing
<https://webkit.org/b/210227>
<rdar://problem/60832243>
Modified: trunk/Source/WebKit/Shared/UserData.cpp (259788 => 259789)
--- trunk/Source/WebKit/Shared/UserData.cpp 2020-04-09 10:52:52 UTC (rev 259788)
+++ trunk/Source/WebKit/Shared/UserData.cpp 2020-04-09 11:01:58 UTC (rev 259789)
@@ -49,6 +49,7 @@
#include "WebImage.h"
#include "WebRenderLayer.h"
#include "WebRenderObject.h"
+#include <wtf/CheckedArithmetic.h>
#if PLATFORM(COCOA)
#include "ObjCObjectGraph.h"
@@ -340,10 +341,15 @@
switch (type) {
case API::Object::Type::Array: {
- uint64_t size;
- if (!decoder.decode(size))
+ uint64_t decodedSize;
+ if (!decoder.decode(decodedSize))
return false;
+ if (!WTF::isInBounds<size_t>(decodedSize))
+ return false;
+
+ auto size = static_cast<size_t>(decodedSize);
+
Vector<RefPtr<API::Object>> elements;
for (size_t i = 0; i < size; ++i) {
RefPtr<API::Object> element;
@@ -376,10 +382,15 @@
break;
case API::Object::Type::Dictionary: {
- uint64_t size;
- if (!decoder.decode(size))
+ uint64_t decodedSize;
+ if (!decoder.decode(decodedSize))
return false;
+ if (!WTF::isInBounds<size_t>(decodedSize))
+ return false;
+
+ auto size = static_cast<size_t>(decodedSize);
+
API::Dictionary::MapType map;
for (size_t i = 0; i < size; ++i) {
String key;
Modified: trunk/Source/WebKit/Shared/UserData.h (259788 => 259789)
--- trunk/Source/WebKit/Shared/UserData.h 2020-04-09 10:52:52 UTC (rev 259788)
+++ trunk/Source/WebKit/Shared/UserData.h 2020-04-09 11:01:58 UTC (rev 259789)
@@ -52,10 +52,10 @@
API::Object* object() const { return m_object.get(); }
void encode(IPC::Encoder&) const;
- static bool decode(IPC::Decoder&, UserData&);
+ static bool decode(IPC::Decoder&, UserData&) WARN_UNUSED_RETURN;
static void encode(IPC::Encoder&, const API::Object*);
- static bool decode(IPC::Decoder&, RefPtr<API::Object>&);
+ static bool decode(IPC::Decoder&, RefPtr<API::Object>&) WARN_UNUSED_RETURN;
private:
static void encode(IPC::Encoder&, const API::Object&);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
