- Revision
- 258334
- Author
- [email protected]
- Date
- 2020-03-12 09:28:22 -0700 (Thu, 12 Mar 2020)
Log Message
WebPasteboardProxy::SetPasteboardBufferForType should validate its `size` parameter
<https://webkit.org/b/208902>
<rdar://problem/60181117>
Reviewed by Chris Dumez.
* Platform/IPC/Connection.h:
(MESSAGE_CHECK_BASE):
- Define in terms of MESSAGE_CHECK_COMPLETION_BASE() with a
no-op completion handler.
(MESSAGE_CHECK_COMPLETION_BASE):
- Rename from MESSAGE_CHECK_BASE() and add completion handler
parameter.
* Platform/SharedMemory.h:
(WebKit::SharedMemory::Handle::size const): Add.
* UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
(MESSAGE_CHECK):
- Define macro to use in
WebPasteboardProxy::setPasteboardBufferForType().
- Undefine macro at end of source file due to unified sources.
(WebKit::WebPasteboardProxy::setPasteboardBufferForType):
- Add IPC::Connection& parameter after change to
WebPasteboardProxy.messages.in. Use with MESSAGE_CHECK().
- Validate `size` parameter using MESSAGE_CHECK(). Because
SharedMemory::Handle::size() returns a size_t value, we do not
need to check `size <= std::numeric_limits<size_t>::max()`.
- Add static_cast<size_t>() to size parameter to denote type
change.
* UIProcess/WebPasteboardProxy.h:
(WebKit::WebPasteboardProxy::setPasteboardBufferForType):
- Add IPC::Connection& parameter after change to
WebPasteboardProxy.messages.in.
* UIProcess/WebPasteboardProxy.messages.in:
(SetPasteboardBufferForType):
- Add 'WantsConnection' attribute to add IPC::Connection&
parameter to WebPasteboardProxy::setPasteboardBufferForType().
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (258333 => 258334)
--- trunk/Source/WebKit/ChangeLog 2020-03-12 16:19:20 UTC (rev 258333)
+++ trunk/Source/WebKit/ChangeLog 2020-03-12 16:28:22 UTC (rev 258334)
@@ -1,3 +1,44 @@
+2020-03-12 David Kilzer <[email protected]>
+
+ WebPasteboardProxy::SetPasteboardBufferForType should validate its `size` parameter
+ <https://webkit.org/b/208902>
+ <rdar://problem/60181117>
+
+ Reviewed by Chris Dumez.
+
+ * Platform/IPC/Connection.h:
+ (MESSAGE_CHECK_BASE):
+ - Define in terms of MESSAGE_CHECK_COMPLETION_BASE() with a
+ no-op completion handler.
+ (MESSAGE_CHECK_COMPLETION_BASE):
+ - Rename from MESSAGE_CHECK_BASE() and add completion handler
+ parameter.
+
+ * Platform/SharedMemory.h:
+ (WebKit::SharedMemory::Handle::size const): Add.
+
+ * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
+ (MESSAGE_CHECK):
+ - Define macro to use in
+ WebPasteboardProxy::setPasteboardBufferForType().
+ - Undefine macro at end of source file due to unified sources.
+ (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+ - Add IPC::Connection& parameter after change to
+ WebPasteboardProxy.messages.in. Use with MESSAGE_CHECK().
+ - Validate `size` parameter using MESSAGE_CHECK(). Because
+ SharedMemory::Handle::size() returns a size_t value, we do not
+ need to check `size <= std::numeric_limits<size_t>::max()`.
+ - Add static_cast<size_t>() to size parameter to denote type
+ change.
+ * UIProcess/WebPasteboardProxy.h:
+ (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+ - Add IPC::Connection& parameter after change to
+ WebPasteboardProxy.messages.in.
+ * UIProcess/WebPasteboardProxy.messages.in:
+ (SetPasteboardBufferForType):
+ - Add 'WantsConnection' attribute to add IPC::Connection&
+ parameter to WebPasteboardProxy::setPasteboardBufferForType().
+
2020-03-12 Youenn Fablet <[email protected]>
Provide orientation to GPUProcess when it will start to capture
Modified: trunk/Source/WebKit/Platform/IPC/Connection.h (258333 => 258334)
--- trunk/Source/WebKit/Platform/IPC/Connection.h 2020-03-12 16:19:20 UTC (rev 258333)
+++ trunk/Source/WebKit/Platform/IPC/Connection.h 2020-03-12 16:28:22 UTC (rev 258334)
@@ -76,10 +76,13 @@
InterruptWaitingIfSyncMessageArrives = 1 << 0,
};
-#define MESSAGE_CHECK_BASE(assertion, connection) do \
+#define MESSAGE_CHECK_BASE(assertion, connection) MESSAGE_CHECK_COMPLETION_BASE(assertion, connection, (void)0)
+
+#define MESSAGE_CHECK_COMPLETION_BASE(assertion, connection, completion) do \
if (!(assertion)) { \
ASSERT(assertion); \
(connection)->markCurrentlyDispatchedMessageAsInvalid(); \
+ { completion; } \
return; \
} \
while (0)
Modified: trunk/Source/WebKit/Platform/SharedMemory.h (258333 => 258334)
--- trunk/Source/WebKit/Platform/SharedMemory.h 2020-03-12 16:19:20 UTC (rev 258333)
+++ trunk/Source/WebKit/Platform/SharedMemory.h 2020-03-12 16:28:22 UTC (rev 258334)
@@ -73,6 +73,10 @@
bool isNull() const;
+#if OS(DARWIN) || OS(WINDOWS)
+ size_t size() const { return m_size; }
+#endif
+
void clear();
void encode(IPC::Encoder&) const;
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm (258333 => 258334)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm 2020-03-12 16:19:20 UTC (rev 258333)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm 2020-03-12 16:28:22 UTC (rev 258334)
@@ -26,6 +26,7 @@
#import "config.h"
#import "WebPasteboardProxy.h"
+#import "Connection.h"
#import "SandboxExtension.h"
#import "WebProcessProxy.h"
#import <WebCore/Color.h>
@@ -35,6 +36,8 @@
#import <WebCore/SharedBuffer.h>
#import <wtf/URL.h>
+#define MESSAGE_CHECK(assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, (&connection), completion)
+
namespace WebKit {
using namespace WebCore;
@@ -171,7 +174,7 @@
completionHandler(PlatformPasteboard(pasteboardName).setStringForType(string, pasteboardType));
}
-void WebPasteboardProxy::setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle& handle, uint64_t size, CompletionHandler<void(int64_t)>&& completionHandler)
+void WebPasteboardProxy::setPasteboardBufferForType(IPC::Connection& connection, const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle& handle, uint64_t size, CompletionHandler<void(int64_t)>&& completionHandler)
{
ASSERT(!pasteboardType.isNull());
if (pasteboardType.isNull())
@@ -179,10 +182,14 @@
if (handle.isNull())
return completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(nullptr, pasteboardType));
+
+ // SharedMemory::Handle::size() is rounded up to the nearest page.
+ MESSAGE_CHECK(size && size <= handle.size(), completionHandler(0));
+
RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
if (!sharedMemoryBuffer)
return completionHandler(0);
- auto buffer = SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
+ auto buffer = SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), static_cast<size_t>(size));
completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(buffer.ptr(), pasteboardType));
}
@@ -287,3 +294,5 @@
#endif // PLATFORM(IOS_FAMILY)
} // namespace WebKit
+
+#undef MESSAGE_CHECK
Modified: trunk/Source/WebKit/UIProcess/WebPasteboardProxy.h (258333 => 258334)
--- trunk/Source/WebKit/UIProcess/WebPasteboardProxy.h 2020-03-12 16:19:20 UTC (rev 258333)
+++ trunk/Source/WebKit/UIProcess/WebPasteboardProxy.h 2020-03-12 16:28:22 UTC (rev 258334)
@@ -92,7 +92,7 @@
void setPasteboardURL(IPC::Connection&, const WebCore::PasteboardURL&, const String& pasteboardName, CompletionHandler<void(int64_t)>&&);
void setPasteboardColor(const String&, const WebCore::Color&, CompletionHandler<void(int64_t)>&&);
void setPasteboardStringForType(const String& pasteboardName, const String& pasteboardType, const String&, CompletionHandler<void(int64_t)>&&);
- void setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle&, uint64_t size, CompletionHandler<void(int64_t)>&&);
+ void setPasteboardBufferForType(IPC::Connection&, const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle&, uint64_t size, CompletionHandler<void(int64_t)>&&);
#endif
void readStringFromPasteboard(size_t index, const String& pasteboardType, const String& pasteboardName, CompletionHandler<void(String&&)>&&);
Modified: trunk/Source/WebKit/UIProcess/WebPasteboardProxy.messages.in (258333 => 258334)
--- trunk/Source/WebKit/UIProcess/WebPasteboardProxy.messages.in 2020-03-12 16:19:20 UTC (rev 258333)
+++ trunk/Source/WebKit/UIProcess/WebPasteboardProxy.messages.in 2020-03-12 16:28:22 UTC (rev 258334)
@@ -55,7 +55,7 @@
SetPasteboardURL(struct WebCore::PasteboardURL pasteboardURL, String pasteboardName) -> (int64_t changeCount) Synchronous WantsConnection
SetPasteboardColor(String pasteboardName, WebCore::Color color) -> (int64_t changeCount) Synchronous
SetPasteboardStringForType(String pasteboardName, String pasteboardType, String string) -> (int64_t changeCount) Synchronous
- SetPasteboardBufferForType(String pasteboardName, String pasteboardType, WebKit::SharedMemory::Handle handle, uint64_t size) -> (int64_t changeCount) Synchronous
+ SetPasteboardBufferForType(String pasteboardName, String pasteboardType, WebKit::SharedMemory::Handle handle, uint64_t size) -> (int64_t changeCount) Synchronous WantsConnection
#endif
#if PLATFORM(GTK)
