[webkit-changes] [255933] releases/WebKitGTK/webkit-2.28/Source/WebKit

[carlosgc]

Title: [255933] releases/WebKitGTK/webkit-2.28/Source/WebKit

Revision

255933

Author

carlo...@webkit.org

Date

2020-02-06 07:10:36 -0800 (Thu, 06 Feb 2020)

Log Message

Merge r255868 - [IPC hardening] Protect against bad identifier in CacheStorageEngineConnection::reference() / dereference()
https://bugs.webkit.org/show_bug.cgi?id=207302
<rdar://problem/59016099>

Reviewed by Alex Christensen.

* NetworkProcess/cache/CacheStorageEngineConnection.cpp:
(WebKit::CacheStorageEngineConnection::reference):
(WebKit::CacheStorageEngineConnection::dereference):

Modified Paths

• releases/WebKitGTK/webkit-2.28/Source/WebKit/ChangeLog
• releases/WebKitGTK/webkit-2.28/Source/WebKit/NetworkProcess/cache/CacheStorageEngineConnection.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.28/Source/WebKit/ChangeLog (255932 => 255933)

--- releases/WebKitGTK/webkit-2.28/Source/WebKit/ChangeLog	2020-02-06 15:10:33 UTC (rev 255932)
+++ releases/WebKitGTK/webkit-2.28/Source/WebKit/ChangeLog	2020-02-06 15:10:36 UTC (rev 255933)
@@ -1,5 +1,17 @@
 2020-02-05  Chris Dumez  <cdu...@apple.com>
 
+        [IPC hardening] Protect against bad identifier in CacheStorageEngineConnection::reference() / dereference()
+        https://bugs.webkit.org/show_bug.cgi?id=207302
+        <rdar://problem/59016099>
+
+        Reviewed by Alex Christensen.
+
+        * NetworkProcess/cache/CacheStorageEngineConnection.cpp:
+        (WebKit::CacheStorageEngineConnection::reference):
+        (WebKit::CacheStorageEngineConnection::dereference):
+
+2020-02-05  Chris Dumez  <cdu...@apple.com>
+
         [IPC hardening] Protect against bad parameters in NetworkRTCProvider::createResolver()
         https://bugs.webkit.org/show_bug.cgi?id=207301
         <rdar://problem/59011449>

Modified: releases/WebKitGTK/webkit-2.28/Source/WebKit/NetworkProcess/cache/CacheStorageEngineConnection.cpp (255932 => 255933)

--- releases/WebKitGTK/webkit-2.28/Source/WebKit/NetworkProcess/cache/CacheStorageEngineConnection.cpp	2020-02-06 15:10:33 UTC (rev 255932)
+++ releases/WebKitGTK/webkit-2.28/Source/WebKit/NetworkProcess/cache/CacheStorageEngineConnection.cpp	2020-02-06 15:10:36 UTC (rev 255933)
@@ -116,6 +116,10 @@
 void CacheStorageEngineConnection::reference(uint64_t cacheIdentifier)
 {
     RELEASE_LOG_IF_ALLOWED("reference cache %" PRIu64, cacheIdentifier);
+    ASSERT(m_cachesLocks.isValidKey(cacheIdentifier));
+    if (!m_cachesLocks.isValidKey(cacheIdentifier))
+        return;
+
     auto& counter = m_cachesLocks.ensure(cacheIdentifier, []() {
         return 0;
     }).iterator->value;
@@ -126,6 +130,9 @@
 void CacheStorageEngineConnection::dereference(uint64_t cacheIdentifier)
 {
     RELEASE_LOG_IF_ALLOWED("dereference cache %" PRIu64, cacheIdentifier);
+    ASSERT(m_cachesLocks.isValidKey(cacheIdentifier));
+    if (!m_cachesLocks.isValidKey(cacheIdentifier))
+        return;
 
     auto referenceResult = m_cachesLocks.find(cacheIdentifier);
     if (referenceResult == m_cachesLocks.end())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes