[webkit-changes] [252619] trunk/Source/WebKit

Mon, 18 Nov 2019 18:50:26 -0800

Title: [252619] trunk/Source/WebKit
Revision
252619
Author
[email protected]
Date
2019-11-18 18:50:07 -0800 (Mon, 18 Nov 2019)

Log Message

IPC::Decoder should use nullptr as invalid value
<https://webkit.org/b/203880>
<rdar://problem/53159906>

Reviewed by Brent Fulgham.

Covered by existing tests.

* Platform/IPC/Decoder.cpp:
(IPC::alignedBufferIsLargeEnoughToContain): Add bufferStart
parameter to add beginning bounds check now that m_bufferPos
uses nullptr for an invalid value.
(IPC::Decoder::alignBufferPosition): Update to pass m_buffer to
IPC::alignedBufferIsLargeEnoughToContain().
(IPC::Decoder::bufferIsLargeEnoughToContain const): Ditto.
* Platform/IPC/Decoder.h:
(IPC::Decoder::isInvalid const): Add beginning bounds check now
that m_bufferPos uses nullptr for an invalid value.
(IPC::Decoder::markInvalid): Make nullptr the invalid value for
m_bufferPos.

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (252618 => 252619)


--- trunk/Source/WebKit/ChangeLog	2019-11-19 02:47:55 UTC (rev 252618)
+++ trunk/Source/WebKit/ChangeLog	2019-11-19 02:50:07 UTC (rev 252619)
@@ -1,3 +1,26 @@
+2019-11-18  David Kilzer  <[email protected]>
+
+        IPC::Decoder should use nullptr as invalid value
+        <https://webkit.org/b/203880>
+        <rdar://problem/53159906>
+
+        Reviewed by Brent Fulgham.
+
+        Covered by existing tests.
+
+        * Platform/IPC/Decoder.cpp:
+        (IPC::alignedBufferIsLargeEnoughToContain): Add bufferStart
+        parameter to add beginning bounds check now that m_bufferPos
+        uses nullptr for an invalid value.
+        (IPC::Decoder::alignBufferPosition): Update to pass m_buffer to
+        IPC::alignedBufferIsLargeEnoughToContain().
+        (IPC::Decoder::bufferIsLargeEnoughToContain const): Ditto.
+        * Platform/IPC/Decoder.h:
+        (IPC::Decoder::isInvalid const): Add beginning bounds check now
+        that m_bufferPos uses nullptr for an invalid value.
+        (IPC::Decoder::markInvalid): Make nullptr the invalid value for
+        m_bufferPos.
+
 2019-11-18  Andres Gonzalez  <[email protected]>
 
         Run AccessibilityController::rootElement on secondary thread to simulate HIServices during LayoutTests.

Modified: trunk/Source/WebKit/Platform/IPC/Decoder.cpp (252618 => 252619)


--- trunk/Source/WebKit/Platform/IPC/Decoder.cpp	2019-11-19 02:47:55 UTC (rev 252618)
+++ trunk/Source/WebKit/Platform/IPC/Decoder.cpp	2019-11-19 02:50:07 UTC (rev 252619)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010, 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -135,15 +135,19 @@
     return reinterpret_cast<uint8_t*>((reinterpret_cast<uintptr_t>(ptr) + alignmentMask) & ~alignmentMask);
 }
 
-static inline bool alignedBufferIsLargeEnoughToContain(const uint8_t* alignedPosition, const uint8_t* bufferEnd, size_t size)
+static inline bool alignedBufferIsLargeEnoughToContain(const uint8_t* alignedPosition, const uint8_t* bufferStart, const uint8_t* bufferEnd, size_t size)
 {
-    return bufferEnd >= alignedPosition && static_cast<size_t>(bufferEnd - alignedPosition) >= size;
+    // When size == 0 for the last argument and it's a variable length byte arrray,
+    // bufferStart == alignedPosition == bufferEnd, so checking (bufferEnd >= alignedPosition)
+    // is not an off-by-one error since (static_cast<size_t>(bufferEnd - alignedPosition) >= size)
+    // will catch issues when size != 0.
+    return bufferEnd >= alignedPosition && bufferStart <= alignedPosition && static_cast<size_t>(bufferEnd - alignedPosition) >= size;
 }
 
 bool Decoder::alignBufferPosition(unsigned alignment, size_t size)
 {
     const uint8_t* alignedPosition = roundUpToAlignment(m_bufferPos, alignment);
-    if (!alignedBufferIsLargeEnoughToContain(alignedPosition, m_bufferEnd, size)) {
+    if (!alignedBufferIsLargeEnoughToContain(alignedPosition, m_buffer, m_bufferEnd, size)) {
         // We've walked off the end of this buffer.
         markInvalid();
         return false;
@@ -155,7 +159,7 @@
 
 bool Decoder::bufferIsLargeEnoughToContain(unsigned alignment, size_t size) const
 {
-    return alignedBufferIsLargeEnoughToContain(roundUpToAlignment(m_bufferPos, alignment), m_bufferEnd, size);
+    return alignedBufferIsLargeEnoughToContain(roundUpToAlignment(m_bufferPos, alignment), m_buffer, m_bufferEnd, size);
 }
 
 bool Decoder::decodeFixedLengthData(uint8_t* data, size_t size, unsigned alignment)

Modified: trunk/Source/WebKit/Platform/IPC/Decoder.h (252618 => 252619)


--- trunk/Source/WebKit/Platform/IPC/Decoder.h	2019-11-19 02:47:55 UTC (rev 252618)
+++ trunk/Source/WebKit/Platform/IPC/Decoder.h	2019-11-19 02:50:07 UTC (rev 252619)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -70,8 +70,13 @@
 
     size_t length() const { return m_bufferEnd - m_buffer; }
 
-    bool isInvalid() const { return m_bufferPos > m_bufferEnd; }
-    void markInvalid() { m_bufferPos = m_bufferEnd + 1; }
+    bool isInvalid() const
+    {
+        // (m_bufferPos == m_bufferEnd) is a valid state for decoding if the last parameter
+        // is a variable length byte array and its size == 0.
+        return m_bufferPos < m_buffer || m_bufferPos > m_bufferEnd;
+    }
+    void markInvalid() { m_bufferPos = nullptr; }
 
     bool decodeFixedLengthData(uint8_t*, size_t, unsigned alignment);
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to