Skip to site navigation (Press enter)

[webkit-changes] [258374] trunk/Source/WebKit

ddkilzer Thu, 12 Mar 2020 17:17:29 -0700

Title: [258374] trunk/Source/WebKit

Revision: 258374
Author: [email protected]
Date: 2020-03-12 17:15:55 -0700 (Thu, 12 Mar 2020)

Log Message

WebPageProxy::SaveImageToLibrary should validate its `imageSize` parameter
<https://webkit.org/b/209012>
<rdar://problem/60181295>


Reviewed by Chris Dumez.

* UIProcess/ios/WebPageProxyIOS.mm:
(WebKit::WebPageProxy::saveImageToLibrary):
- Validate upper bound of `imageSize` parameter.
- Add static_cast<size_t>() to `imageSize` parameter to denote
  type change.

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (258373 => 258374)


--- trunk/Source/WebKit/ChangeLog	2020-03-12 23:55:06 UTC (rev 258373)
+++ trunk/Source/WebKit/ChangeLog	2020-03-13 00:15:55 UTC (rev 258374)
@@ -1,3 +1,17 @@
+2020-03-12  David Kilzer  <[email protected]>
+
+        WebPageProxy::SaveImageToLibrary should validate its `imageSize` parameter
+        <https://webkit.org/b/209012>
+        <rdar://problem/60181295>
+
+        Reviewed by Chris Dumez.
+
+        * UIProcess/ios/WebPageProxyIOS.mm:
+        (WebKit::WebPageProxy::saveImageToLibrary):
+        - Validate upper bound of `imageSize` parameter.
+        - Add static_cast<size_t>() to `imageSize` parameter to denote
+          type change.
+
 2020-03-12  Chris Dumez  <[email protected]>
 
         Check for overflows in MachMessage::messageSize()

Modified: trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm (258373 => 258374)


--- trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm	2020-03-12 23:55:06 UTC (rev 258373)
+++ trunk/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm	2020-03-13 00:15:55 UTC (rev 258374)
@@ -667,13 +667,14 @@
 void WebPageProxy::saveImageToLibrary(const SharedMemory::Handle& imageHandle, uint64_t imageSize)
 {
     MESSAGE_CHECK(!imageHandle.isNull());
-    MESSAGE_CHECK(imageSize);
+    // SharedMemory::Handle::size() is rounded up to the nearest page.
+    MESSAGE_CHECK(imageSize && imageSize <= imageHandle.size());
 
     auto sharedMemoryBuffer = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
     if (!sharedMemoryBuffer)
         return;
 
-    auto buffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryBuffer->data()), imageSize);
+    auto buffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryBuffer->data()), static_cast<size_t>(imageSize));
     pageClient().saveImageToLibrary(WTFMove(buffer));
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes