Title: [256081] trunk/Source
- Revision
- 256081
- Author
- [email protected]
- Date
- 2020-02-07 16:43:52 -0800 (Fri, 07 Feb 2020)
Log Message
Harden HashTable IPC decoders
https://bugs.webkit.org/show_bug.cgi?id=207415
Reviewed by Chris Dumez.
Source/WebKit:
* Platform/IPC/ArgumentCoders.h:
Source/WTF:
* wtf/HashCountedSet.h:
Modified Paths
Diff
Modified: trunk/Source/WTF/ChangeLog (256080 => 256081)
--- trunk/Source/WTF/ChangeLog 2020-02-08 00:43:17 UTC (rev 256080)
+++ trunk/Source/WTF/ChangeLog 2020-02-08 00:43:52 UTC (rev 256081)
@@ -1,3 +1,12 @@
+2020-02-07 Alex Christensen <[email protected]>
+
+ Harden HashTable IPC decoders
+ https://bugs.webkit.org/show_bug.cgi?id=207415
+
+ Reviewed by Chris Dumez.
+
+ * wtf/HashCountedSet.h:
+
2020-02-07 Ryan Haddad <[email protected]>
Unreviewed, rolling out r256051.
Modified: trunk/Source/WTF/wtf/HashCountedSet.h (256080 => 256081)
--- trunk/Source/WTF/wtf/HashCountedSet.h 2020-02-08 00:43:17 UTC (rev 256080)
+++ trunk/Source/WTF/wtf/HashCountedSet.h 2020-02-08 00:43:52 UTC (rev 256081)
@@ -110,6 +110,8 @@
template<typename V = ValueType> typename std::enable_if<IsSmartPtr<V>::value, unsigned>::type count(typename GetPtrHelper<V>::PtrType) const;
template<typename V = ValueType> typename std::enable_if<IsSmartPtr<V>::value, bool>::type remove(typename GetPtrHelper<V>::PtrType);
+ static bool isValidValue(const ValueType& value) { return ImplType::isValidValue(value); }
+
private:
ImplType m_impl;
};
Modified: trunk/Source/WebKit/ChangeLog (256080 => 256081)
--- trunk/Source/WebKit/ChangeLog 2020-02-08 00:43:17 UTC (rev 256080)
+++ trunk/Source/WebKit/ChangeLog 2020-02-08 00:43:52 UTC (rev 256081)
@@ -1,3 +1,12 @@
+2020-02-07 Alex Christensen <[email protected]>
+
+ Harden HashTable IPC decoders
+ https://bugs.webkit.org/show_bug.cgi?id=207415
+
+ Reviewed by Chris Dumez.
+
+ * Platform/IPC/ArgumentCoders.h:
+
2020-02-07 Chris Dumez <[email protected]>
[Hardening] Validate Geolocation access permission on UIProcess side
Modified: trunk/Source/WebKit/Platform/IPC/ArgumentCoders.h (256080 => 256081)
--- trunk/Source/WebKit/Platform/IPC/ArgumentCoders.h 2020-02-08 00:43:17 UTC (rev 256080)
+++ trunk/Source/WebKit/Platform/IPC/ArgumentCoders.h 2020-02-08 00:43:52 UTC (rev 256081)
@@ -389,6 +389,11 @@
if (UNLIKELY(!value))
return WTF::nullopt;
+ if (UNLIKELY(!HashMapType::isValidKey(*key))) {
+ decoder.markInvalid();
+ return WTF::nullopt;
+ }
+
if (UNLIKELY(!hashMap.add(WTFMove(*key), WTFMove(*value)).isNewEntry)) {
// The hash map already has the specified key, bail.
decoder.markInvalid();
@@ -444,7 +449,12 @@
if (!key)
return WTF::nullopt;
- if (!hashSet.add(WTFMove(key.value())).isNewEntry) {
+ if (UNLIKELY(!HashSetType::isValidValue(*key))) {
+ decoder.markInvalid();
+ return WTF::nullopt;
+ }
+
+ if (UNLIKELY(!hashSet.add(WTFMove(*key)).isNewEntry)) {
// The hash set already has the specified key, bail.
decoder.markInvalid();
return WTF::nullopt;
@@ -483,8 +493,13 @@
unsigned count;
if (!decoder.decode(count))
return false;
-
- if (!tempHashCountedSet.add(key, count).isNewEntry) {
+
+ if (UNLIKELY(!HashCountedSetType::isValidValue(key))) {
+ decoder.markInvalid();
+ return false;
+ }
+
+ if (UNLIKELY(!tempHashCountedSet.add(key, count).isNewEntry)) {
// The hash counted set already has the specified key, bail.
decoder.markInvalid();
return false;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
