[webkit-changes] [254745] trunk/Source/WebKit

[cdumez]

Title: [254745] trunk/Source/WebKit

Revision

254745

Author

cdu...@apple.com

Date

2020-01-17 07:56:30 -0800 (Fri, 17 Jan 2020)

Log Message

IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message
https://bugs.webkit.org/show_bug.cgi?id=206381

Reviewed by Anders Carlsson.

IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message. Make sure that the Strings passed over IPC are not
null and that the SharedBuffer returned by SharedBuffer::map() is not null.

* UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
(WebKit::WebPasteboardProxy::setPasteboardBufferForType):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (254744 => 254745)

--- trunk/Source/WebKit/ChangeLog	2020-01-17 15:17:17 UTC (rev 254744)
+++ trunk/Source/WebKit/ChangeLog	2020-01-17 15:56:30 UTC (rev 254745)
@@ -1,3 +1,16 @@
+2020-01-17  Chris Dumez  <cdu...@apple.com>
+
+        IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message
+        https://bugs.webkit.org/show_bug.cgi?id=206381
+
+        Reviewed by Anders Carlsson.
+
+        IPC hardening for WebPasteboardProxy::SetPasteboardBufferForType message. Make sure that the Strings passed over IPC are not
+        null and that the SharedBuffer returned by SharedBuffer::map() is not null.
+
+        * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
+        (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+
 2020-01-17  Carlos Garcia Campos  <cgar...@igalia.com>
 
         [GTK][WPE] Composition underline color is not applied

Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm (254744 => 254745)

--- trunk/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm	2020-01-17 15:17:17 UTC (rev 254744)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm	2020-01-17 15:56:30 UTC (rev 254745)
@@ -158,9 +158,13 @@
 
 void WebPasteboardProxy::setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle& handle, uint64_t size, CompletionHandler<void(int64_t)>&& completionHandler)
 {
+    if (pasteboardName.isNull() || pasteboardType.isNull())
+        return completionHandler(0);
     if (handle.isNull())
         return completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(0, pasteboardType));
     RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
+    if (!sharedMemoryBuffer)
+        return completionHandler(0);
     auto buffer = SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
     completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(buffer.ptr(), pasteboardType));
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes