[webkit-changes] [238915] branches/safari-606-branch/Source/WebKit

[alancoon]

Title: [238915] branches/safari-606-branch/Source/WebKit

Revision

238915

Author

alanc...@apple.com

Date

2018-12-05 15:51:02 -0800 (Wed, 05 Dec 2018)

Log Message

Cherry-pick r238799. rdar://problem/46432866

    [Cocoa] Check descriptor types in createMessageDecoder
    https://bugs.webkit.org/show_bug.cgi?id=192302

    Reviewed by Chris Dumez.

    Not sure how to construct a test case for Connection, so not adding any
    tests at this time.

    * Platform/IPC/mac/ConnectionMac.mm:
    (IPC::createMessageDecoder): Check descriptor types and return nullptr if they
    are incorrect. Retained the assertions to help with debugging.
    (IPC::Connection::receiveSourceEventHandler): Ignore the message if no decoder
    is created, which means the message is invalid.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238799 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

• branches/safari-606-branch/Source/WebKit/ChangeLog
• branches/safari-606-branch/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm

Diff

Modified: branches/safari-606-branch/Source/WebKit/ChangeLog (238914 => 238915)

--- branches/safari-606-branch/Source/WebKit/ChangeLog	2018-12-05 23:50:08 UTC (rev 238914)
+++ branches/safari-606-branch/Source/WebKit/ChangeLog	2018-12-05 23:51:02 UTC (rev 238915)
@@ -1,3 +1,39 @@
+2018-12-04  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r238799. rdar://problem/46432866
+
+    [Cocoa] Check descriptor types in createMessageDecoder
+    https://bugs.webkit.org/show_bug.cgi?id=192302
+    
+    Reviewed by Chris Dumez.
+    
+    Not sure how to construct a test case for Connection, so not adding any
+    tests at this time.
+    
+    * Platform/IPC/mac/ConnectionMac.mm:
+    (IPC::createMessageDecoder): Check descriptor types and return nullptr if they
+    are incorrect. Retained the assertions to help with debugging.
+    (IPC::Connection::receiveSourceEventHandler): Ignore the message if no decoder
+    is created, which means the message is invalid.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238799 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-12-03  Darin Adler  <da...@apple.com>
+
+            [Cocoa] Check descriptor types in createMessageDecoder
+            https://bugs.webkit.org/show_bug.cgi?id=192302
+
+            Reviewed by Chris Dumez.
+
+            Not sure how to construct a test case for Connection, so not adding any
+            tests at this time.
+
+            * Platform/IPC/mac/ConnectionMac.mm:
+            (IPC::createMessageDecoder): Check descriptor types and return nullptr if they
+            are incorrect. Retained the assertions to help with debugging.
+            (IPC::Connection::receiveSourceEventHandler): Ignore the message if no decoder
+            is created, which means the message is invalid.
+
 2018-11-27  Alex Christensen  <achristen...@webkit.org>
 
         Build fix after r238572

Modified: branches/safari-606-branch/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm (238914 => 238915)

--- branches/safari-606-branch/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm	2018-12-05 23:50:08 UTC (rev 238914)
+++ branches/safari-606-branch/Source/WebKit/Platform/IPC/mac/ConnectionMac.mm	2018-12-05 23:51:02 UTC (rev 238915)
@@ -459,29 +459,26 @@
 
     for (mach_msg_size_t i = 0; i < numDescriptors; ++i) {
         mach_msg_descriptor_t* descriptor = reinterpret_cast<mach_msg_descriptor_t*>(descriptorData);
+        ASSERT(descriptor->type.type == MACH_MSG_PORT_DESCRIPTOR);
+        if (descriptor->type.type != MACH_MSG_PORT_DESCRIPTOR)
+            return nullptr;
 
-        switch (descriptor->type.type) {
-        case MACH_MSG_PORT_DESCRIPTOR:
-            attachments[numDescriptors - i - 1] = Attachment(descriptor->port.name, descriptor->port.disposition);
-            descriptorData += sizeof(mach_msg_port_descriptor_t);
-            break;
-        default:
-            ASSERT(false && "Unhandled descriptor type");
-        }
+        attachments[numDescriptors - i - 1] = Attachment(descriptor->port.name, descriptor->port.disposition);
+        descriptorData += sizeof(mach_msg_port_descriptor_t);
     }
 
     if (messageBodyIsOOL) {
         mach_msg_descriptor_t* descriptor = reinterpret_cast<mach_msg_descriptor_t*>(descriptorData);
         ASSERT(descriptor->type.type == MACH_MSG_OOL_DESCRIPTOR);
+        if (descriptor->type.type != MACH_MSG_OOL_DESCRIPTOR)
+            return nullptr;
 
         uint8_t* messageBody = static_cast<uint8_t*>(descriptor->out_of_line.address);
         size_t messageBodySize = descriptor->out_of_line.size;
 
-        auto decoder = std::make_unique<Decoder>(messageBody, messageBodySize, [](const uint8_t* buffer, size_t length) {
+        return std::make_unique<Decoder>(messageBody, messageBodySize, [](const uint8_t* buffer, size_t length) {
             vm_deallocate(mach_task_self(), reinterpret_cast<vm_address_t>(buffer), length);
         }, WTFMove(attachments));
-
-        return decoder;
     }
 
     uint8_t* messageBody = descriptorData;
@@ -549,7 +546,8 @@
     }
 
     std::unique_ptr<Decoder> decoder = createMessageDecoder(header);
-    ASSERT(decoder);
+    if (!decoder)
+        return;
 
 #if PLATFORM(MAC)
     decoder->setImportanceAssertion(std::make_unique<ImportanceAssertion>(header));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes