[webkit-changes] [258592] branches/safari-609-branch/Source/WebKit

[alancoon]

Title: [258592] branches/safari-609-branch/Source/WebKit

Revision

258592

Author

alanc...@apple.com

Date

2020-03-17 14:06:52 -0700 (Tue, 17 Mar 2020)

Log Message

Apply patch. rdar://problem/60430195

Modified Paths

• branches/safari-609-branch/Source/WebKit/ChangeLog
• branches/safari-609-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm

Diff

Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (258591 => 258592)

--- branches/safari-609-branch/Source/WebKit/ChangeLog	2020-03-17 21:06:49 UTC (rev 258591)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog	2020-03-17 21:06:52 UTC (rev 258592)
@@ -1,3 +1,27 @@
+2020-03-17  Alan Coon  <alanc...@apple.com>
+
+        Apply patch. rdar://problem/60430195
+
+    2020-03-17  David Kilzer  <ddkil...@apple.com>
+
+            Cherry-pick r258053. rdar://problem/60430195
+
+        2020-03-06  David Kilzer  <ddkil...@apple.com>
+
+            IPC hardening for WebPageProxy::SaveImageToLibrary message
+            <https://webkit.org/b/208730>
+            <rdar://problem/58700693>
+
+            Reviewed by Chris Dumez.
+
+            * UIProcess/ios/WebPageProxyIOS.mm:
+            (MESSAGE_CHECK): Define macro only for methods in this source file.
+            (WebKit::WebPageProxy::saveImageToLibrary):
+            - Make sure the shared memory handle sent over IPC is not null.
+            - Make sure the image size sent over IPC is not zero.
+            - Null check the SharedMemory object after calling
+              SharedMemory::map().
+
 2020-03-09  Alan Coon  <alanc...@apple.com>
 
         Cherry-pick r257659. rdar://problem/60183766

Modified: branches/safari-609-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm (258591 => 258592)

--- branches/safari-609-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm	2020-03-17 21:06:49 UTC (rev 258591)
+++ branches/safari-609-branch/Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm	2020-03-17 21:06:52 UTC (rev 258592)
@@ -76,6 +76,8 @@
 #import <wtf/text/WTFString.h>
 #endif
 
+#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process().connection())
+
 #define RELEASE_LOG_IF_ALLOWED(channel, fmt, ...) RELEASE_LOG_IF(isAlwaysOnLoggingAllowed(), channel, "%p - [pageProxyID=%llu, webPageID=%llu, PID=%i] WebPageProxy::" fmt, this, m_identifier.toUInt64(), m_webPageID.toUInt64(), m_process->processIdentifier(), ##__VA_ARGS__)
 
 namespace WebKit {
@@ -644,7 +646,13 @@
 
 void WebPageProxy::saveImageToLibrary(const SharedMemory::Handle& imageHandle, uint64_t imageSize)
 {
+    MESSAGE_CHECK(!imageHandle.isNull());
+    MESSAGE_CHECK(imageSize);
+
     auto sharedMemoryBuffer = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
+    if (!sharedMemoryBuffer)
+        return;
+
     auto buffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryBuffer->data()), imageSize);
     pageClient().saveImageToLibrary(WTFMove(buffer));
 }
@@ -1503,5 +1511,6 @@
 } // namespace WebKit
 
 #undef RELEASE_LOG_IF_ALLOWED
+#undef MESSAGE_CHECK
 
 #endif // PLATFORM(IOS_FAMILY)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes