Title: [232451] trunk/Source/WebKit
- Revision
- 232451
- Author
- [email protected]
- Date
- 2018-06-03 11:28:07 -0700 (Sun, 03 Jun 2018)
Log Message
Make sure that the fencePort received over IPC has the expected disposition (SEND)
https://bugs.webkit.org/show_bug.cgi?id=186211
<rdar://problem/37814171>
Reviewed by Geoffrey Garen.
It is possible (though very unlikely) for a message to be recevied that has the wrong mach port disposition.
If this happens, we shouldn't manipulate the passed mach_port_t or pass it on to other API. We already
drop messages that violate this expectation in the IPC layer, but code handling IPC::Attachment data types
are not checking this value.
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::setTopContentInsetFenced):
* WebProcess/cocoa/VideoFullscreenManager.mm:
(WebKit::VideoFullscreenManager::setVideoLayerFrameFenced):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (232450 => 232451)
--- trunk/Source/WebKit/ChangeLog 2018-06-03 17:35:41 UTC (rev 232450)
+++ trunk/Source/WebKit/ChangeLog 2018-06-03 18:28:07 UTC (rev 232451)
@@ -1,3 +1,21 @@
+2018-06-03 Brent Fulgham <[email protected]>
+
+ Make sure that the fencePort received over IPC has the expected disposition (SEND)
+ https://bugs.webkit.org/show_bug.cgi?id=186211
+ <rdar://problem/37814171>
+
+ Reviewed by Geoffrey Garen.
+
+ It is possible (though very unlikely) for a message to be recevied that has the wrong mach port disposition.
+ If this happens, we shouldn't manipulate the passed mach_port_t or pass it on to other API. We already
+ drop messages that violate this expectation in the IPC layer, but code handling IPC::Attachment data types
+ are not checking this value.
+
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::WebPage::setTopContentInsetFenced):
+ * WebProcess/cocoa/VideoFullscreenManager.mm:
+ (WebKit::VideoFullscreenManager::setVideoLayerFrameFenced):
+
2018-06-02 Chris Dumez <[email protected]>
Unreviewed, rolling out r232275.
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp (232450 => 232451)
--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2018-06-03 17:35:41 UTC (rev 232450)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2018-06-03 18:28:07 UTC (rev 232451)
@@ -2665,6 +2665,11 @@
#if PLATFORM(COCOA)
void WebPage::setTopContentInsetFenced(float contentInset, IPC::Attachment fencePort)
{
+ if (fencePort.disposition() != MACH_MSG_TYPE_MOVE_SEND) {
+ LOG(Layers, "WebPage::setTopContentInsetFenced(%g, fencePort) Received an invalid fence port: %d, disposition: %d", contentInset, fencePort.port(), fencePort.disposition());
+ return;
+ }
+
m_drawingArea->addFence(MachSendRight::create(fencePort.port()));
setTopContentInset(contentInset);
Modified: trunk/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm (232450 => 232451)
--- trunk/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm 2018-06-03 17:35:41 UTC (rev 232450)
+++ trunk/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm 2018-06-03 18:28:07 UTC (rev 232451)
@@ -564,6 +564,11 @@
{
LOG(Fullscreen, "VideoFullscreenManager::setVideoLayerFrameFenced(%p, %x)", this, contextId);
+ if (fencePort.disposition() != MACH_MSG_TYPE_MOVE_SEND) {
+ LOG(Fullscreen, "VideoFullscreenManager::setVideoLayerFrameFenced(%p, %x) Received an invalid fence port: %d, disposition: %d", this, contextId, fencePort.port(), fencePort.disposition());
+ return;
+ }
+
RefPtr<VideoFullscreenModelVideoElement> model;
RefPtr<VideoFullscreenInterfaceContext> interface;
std::tie(model, interface) = ensureModelAndInterface(contextId);
@@ -573,8 +578,8 @@
bounds = FloatRect(0, 0, videoRect.width(), videoRect.height());
}
- if (interface->layerHostingContext())
- interface->layerHostingContext()->setFencePort(fencePort.port());
+ if (auto* context = interface->layerHostingContext())
+ context->setFencePort(fencePort.port());
model->setVideoLayerFrame(bounds);
deallocateSendRightSafely(fencePort.port());
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
