[webkit-changes] [254724] trunk/Source/WebKit

Thu, 16 Jan 2020 16:55:11 -0800

Title: [254724] trunk/Source/WebKit
Revision
254724
Author
[email protected]
Date
2020-01-16 16:54:06 -0800 (Thu, 16 Jan 2020)

Log Message

IPC hardening for WebPageProxy::SetPromisedDataForImage message
https://bugs.webkit.org/show_bug.cgi?id=206380
<rdar://problem/58625196>

Reviewed by Geoffrey Garen.

IPC hardening for WebPageProxy::SetPromisedDataForImage message. Make sure the shared memory handle sent over IPC is not null
and null check the SharedMemory object after calling SharedMemory::map().

* UIProcess/mac/WebPageProxyMac.mm:
(WebKit::WebPageProxy::setPromisedDataForImage):

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (254723 => 254724)


--- trunk/Source/WebKit/ChangeLog	2020-01-17 00:51:18 UTC (rev 254723)
+++ trunk/Source/WebKit/ChangeLog	2020-01-17 00:54:06 UTC (rev 254724)
@@ -1,3 +1,17 @@
+2020-01-16  Chris Dumez  <[email protected]>
+
+        IPC hardening for WebPageProxy::SetPromisedDataForImage message
+        https://bugs.webkit.org/show_bug.cgi?id=206380
+        <rdar://problem/58625196>
+
+        Reviewed by Geoffrey Garen.
+
+        IPC hardening for WebPageProxy::SetPromisedDataForImage message. Make sure the shared memory handle sent over IPC is not null
+        and null check the SharedMemory object after calling SharedMemory::map().
+
+        * UIProcess/mac/WebPageProxyMac.mm:
+        (WebKit::WebPageProxy::setPromisedDataForImage):
+
 2020-01-16  Daniel Chen  <[email protected]>
 
         Call AtomString::init in WebKit2Initialize.

Modified: trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm (254723 => 254724)


--- trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm	2020-01-17 00:51:18 UTC (rev 254723)
+++ trunk/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm	2020-01-17 00:54:06 UTC (rev 254724)
@@ -314,7 +314,12 @@
 {
     MESSAGE_CHECK_URL(url);
     MESSAGE_CHECK_URL(visibleURL);
+    MESSAGE_CHECK(!imageHandle.isNull());
+
     RefPtr<SharedMemory> sharedMemoryImage = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
+    if (!sharedMemoryImage)
+        return;
+
     auto imageBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryImage->data()), imageSize);
     RefPtr<SharedBuffer> archiveBuffer;
     

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to