[webkit-changes] [258053] trunk/Source/WebKit

[ddkilzer]

Title: [258053] trunk/Source/WebKit

Revision

258053

Author

ddkil...@apple.com

Date

2020-03-06 20:32:32 -0800 (Fri, 06 Mar 2020)

Log Message

IPC hardening for WebPageProxy::SaveImageToLibrary message
<https://webkit.org/b/208730>
<rdar://problem/58700693>

Reviewed by Chris Dumez.

* UIProcess/ios/WebPageProxyIOS.mm:
(MESSAGE_CHECK): Define macro only for methods in this source file.
(WebKit::WebPageProxy::saveImageToLibrary):
- Make sure the shared memory handle sent over IPC is not null.
- Make sure the image size sent over IPC is not zero.
- Null check the SharedMemory object after calling
  SharedMemory::map().

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (258052 => 258053)

--- trunk/Source/WebKit/ChangeLog	2020-03-07 04:07:53 UTC (rev 258052)
+++ trunk/Source/WebKit/ChangeLog	2020-03-07 04:32:32 UTC (rev 258053)
@@ -1,3 +1,19 @@
+2020-03-06  David Kilzer  <ddkil...@apple.com>
+
+        IPC hardening for WebPageProxy::SaveImageToLibrary message
+        <https://webkit.org/b/208730>
+        <rdar://problem/58700693>
+
+        Reviewed by Chris Dumez.
+
+        * UIProcess/ios/WebPageProxyIOS.mm:
+        (MESSAGE_CHECK): Define macro only for methods in this source file.
+        (WebKit::WebPageProxy::saveImageToLibrary):
+        - Make sure the shared memory handle sent over IPC is not null.
+        - Make sure the image size sent over IPC is not zero.
+        - Null check the SharedMemory object after calling
+          SharedMemory::map().
+
 2020-03-06  Alex Christensen  <achristen...@webkit.org>
 
         Add SPI to disable cross origin access control checks

Modified: trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm (258052 => 258053)

--- trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm	2020-03-07 04:07:53 UTC (rev 258052)
+++ trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm	2020-03-07 04:32:32 UTC (rev 258053)
@@ -78,6 +78,8 @@
 #import <wtf/text/WTFString.h>
 #endif
 
+#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process().connection())
+
 #define RELEASE_LOG_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [pageProxyID=%llu, webPageID=%llu, PID=%i] WebPageProxy::" fmt, this, m_identifier.toUInt64(), m_webPageID.toUInt64(), m_process->processIdentifier(), ##__VA_ARGS__)
 
 namespace WebKit {
@@ -664,7 +666,13 @@
 
 void WebPageProxy::saveImageToLibrary(const SharedMemory::Handle& imageHandle, uint64_t imageSize)
 {
+    MESSAGE_CHECK(!imageHandle.isNull());
+    MESSAGE_CHECK(imageSize);
+
     auto sharedMemoryBuffer = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
+    if (!sharedMemoryBuffer)
+        return;
+
     auto buffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryBuffer->data()), imageSize);
     pageClient().saveImageToLibrary(WTFMove(buffer));
 }
@@ -1560,5 +1568,6 @@
 } // namespace WebKit
 
 #undef RELEASE_LOG_IF_ALLOWED
+#undef MESSAGE_CHECK
 
 #endif // PLATFORM(IOS_FAMILY)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes