Modified: branches/safari-608-branch/Source/WebKit/ChangeLog (252656 => 252657)
--- branches/safari-608-branch/Source/WebKit/ChangeLog 2019-11-20 00:33:09 UTC (rev 252656)
+++ branches/safari-608-branch/Source/WebKit/ChangeLog 2019-11-20 00:33:13 UTC (rev 252657)
@@ -1,3 +1,53 @@
+2019-11-19 Alan Coon <[email protected]>
+
+ Cherry-pick r252619. rdar://problem/57330791
+
+ IPC::Decoder should use nullptr as invalid value
+ <https://webkit.org/b/203880>
+ <rdar://problem/53159906>
+
+ Reviewed by Brent Fulgham.
+
+ Covered by existing tests.
+
+ * Platform/IPC/Decoder.cpp:
+ (IPC::alignedBufferIsLargeEnoughToContain): Add bufferStart
+ parameter to add beginning bounds check now that m_bufferPos
+ uses nullptr for an invalid value.
+ (IPC::Decoder::alignBufferPosition): Update to pass m_buffer to
+ IPC::alignedBufferIsLargeEnoughToContain().
+ (IPC::Decoder::bufferIsLargeEnoughToContain const): Ditto.
+ * Platform/IPC/Decoder.h:
+ (IPC::Decoder::isInvalid const): Add beginning bounds check now
+ that m_bufferPos uses nullptr for an invalid value.
+ (IPC::Decoder::markInvalid): Make nullptr the invalid value for
+ m_bufferPos.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@252619 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-11-18 David Kilzer <[email protected]>
+
+ IPC::Decoder should use nullptr as invalid value
+ <https://webkit.org/b/203880>
+ <rdar://problem/53159906>
+
+ Reviewed by Brent Fulgham.
+
+ Covered by existing tests.
+
+ * Platform/IPC/Decoder.cpp:
+ (IPC::alignedBufferIsLargeEnoughToContain): Add bufferStart
+ parameter to add beginning bounds check now that m_bufferPos
+ uses nullptr for an invalid value.
+ (IPC::Decoder::alignBufferPosition): Update to pass m_buffer to
+ IPC::alignedBufferIsLargeEnoughToContain().
+ (IPC::Decoder::bufferIsLargeEnoughToContain const): Ditto.
+ * Platform/IPC/Decoder.h:
+ (IPC::Decoder::isInvalid const): Add beginning bounds check now
+ that m_bufferPos uses nullptr for an invalid value.
+ (IPC::Decoder::markInvalid): Make nullptr the invalid value for
+ m_bufferPos.
+
2019-11-18 Alan Coon <[email protected]>
Apply patch. rdar://problem/57283569
Modified: branches/safari-608-branch/Source/WebKit/Platform/IPC/Decoder.cpp (252656 => 252657)
--- branches/safari-608-branch/Source/WebKit/Platform/IPC/Decoder.cpp 2019-11-20 00:33:09 UTC (rev 252656)
+++ branches/safari-608-branch/Source/WebKit/Platform/IPC/Decoder.cpp 2019-11-20 00:33:13 UTC (rev 252657)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010, 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -135,15 +135,19 @@
return reinterpret_cast<uint8_t*>((reinterpret_cast<uintptr_t>(ptr) + alignmentMask) & ~alignmentMask);
}
-static inline bool alignedBufferIsLargeEnoughToContain(const uint8_t* alignedPosition, const uint8_t* bufferEnd, size_t size)
+static inline bool alignedBufferIsLargeEnoughToContain(const uint8_t* alignedPosition, const uint8_t* bufferStart, const uint8_t* bufferEnd, size_t size)
{
- return bufferEnd >= alignedPosition && static_cast<size_t>(bufferEnd - alignedPosition) >= size;
+ // When size == 0 for the last argument and it's a variable length byte arrray,
+ // bufferStart == alignedPosition == bufferEnd, so checking (bufferEnd >= alignedPosition)
+ // is not an off-by-one error since (static_cast<size_t>(bufferEnd - alignedPosition) >= size)
+ // will catch issues when size != 0.
+ return bufferEnd >= alignedPosition && bufferStart <= alignedPosition && static_cast<size_t>(bufferEnd - alignedPosition) >= size;
}
bool Decoder::alignBufferPosition(unsigned alignment, size_t size)
{
const uint8_t* alignedPosition = roundUpToAlignment(m_bufferPos, alignment);
- if (!alignedBufferIsLargeEnoughToContain(alignedPosition, m_bufferEnd, size)) {
+ if (!alignedBufferIsLargeEnoughToContain(alignedPosition, m_buffer, m_bufferEnd, size)) {
// We've walked off the end of this buffer.
markInvalid();
return false;
@@ -155,7 +159,7 @@
bool Decoder::bufferIsLargeEnoughToContain(unsigned alignment, size_t size) const
{
- return alignedBufferIsLargeEnoughToContain(roundUpToAlignment(m_bufferPos, alignment), m_bufferEnd, size);
+ return alignedBufferIsLargeEnoughToContain(roundUpToAlignment(m_bufferPos, alignment), m_buffer, m_bufferEnd, size);
}
bool Decoder::decodeFixedLengthData(uint8_t* data, size_t size, unsigned alignment)
Modified: branches/safari-608-branch/Source/WebKit/Platform/IPC/Decoder.h (252656 => 252657)
--- branches/safari-608-branch/Source/WebKit/Platform/IPC/Decoder.h 2019-11-20 00:33:09 UTC (rev 252656)
+++ branches/safari-608-branch/Source/WebKit/Platform/IPC/Decoder.h 2019-11-20 00:33:13 UTC (rev 252657)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -70,8 +70,13 @@
size_t length() const { return m_bufferEnd - m_buffer; }
- bool isInvalid() const { return m_bufferPos > m_bufferEnd; }
- void markInvalid() { m_bufferPos = m_bufferEnd + 1; }
+ bool isInvalid() const
+ {
+ // (m_bufferPos == m_bufferEnd) is a valid state for decoding if the last parameter
+ // is a variable length byte array and its size == 0.
+ return m_bufferPos < m_buffer || m_bufferPos > m_bufferEnd;
+ }
+ void markInvalid() { m_bufferPos = nullptr; }
bool decodeFixedLengthData(uint8_t*, size_t, unsigned alignment);
