Diff
Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (258592 => 258593)
--- branches/safari-609-branch/Source/WebKit/ChangeLog 2020-03-17 21:06:52 UTC (rev 258592)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog 2020-03-17 21:06:55 UTC (rev 258593)
@@ -1,5 +1,54 @@
2020-03-17 Alan Coon <[email protected]>
+ Apply patch. rdar://problem/60396294
+
+ 2020-03-17 David Kilzer <[email protected]>
+
+ Cherry-pick r258334. rdar://problem/60396294
+
+ 2020-03-12 David Kilzer <[email protected]>
+
+ WebPasteboardProxy::SetPasteboardBufferForType should validate its `size` parameter
+ <https://webkit.org/b/208902>
+ <rdar://problem/60181117>
+
+ Reviewed by Chris Dumez.
+
+ * Platform/IPC/Connection.h:
+ (MESSAGE_CHECK_BASE):
+ - Define in terms of MESSAGE_CHECK_COMPLETION_BASE() with a
+ no-op completion handler.
+ (MESSAGE_CHECK_COMPLETION_BASE):
+ - Rename from MESSAGE_CHECK_BASE() and add completion handler
+ parameter.
+
+ * Platform/SharedMemory.h:
+ (WebKit::SharedMemory::Handle::size const): Add.
+
+ * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
+ (MESSAGE_CHECK):
+ - Define macro to use in
+ WebPasteboardProxy::setPasteboardBufferForType().
+ - Undefine macro at end of source file due to unified sources.
+ (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+ - Add IPC::Connection& parameter after change to
+ WebPasteboardProxy.messages.in. Use with MESSAGE_CHECK().
+ - Validate `size` parameter using MESSAGE_CHECK(). Because
+ SharedMemory::Handle::size() returns a size_t value, we do not
+ need to check `size <= std::numeric_limits<size_t>::max()`.
+ - Add static_cast<size_t>() to size parameter to denote type
+ change.
+ * UIProcess/WebPasteboardProxy.h:
+ (WebKit::WebPasteboardProxy::setPasteboardBufferForType):
+ - Add IPC::Connection& parameter after change to
+ WebPasteboardProxy.messages.in.
+ * UIProcess/WebPasteboardProxy.messages.in:
+ (SetPasteboardBufferForType):
+ - Add 'WantsConnection' attribute to add IPC::Connection&
+ parameter to WebPasteboardProxy::setPasteboardBufferForType().
+
+2020-03-17 Alan Coon <[email protected]>
+
Apply patch. rdar://problem/60430195
2020-03-17 David Kilzer <[email protected]>
Modified: branches/safari-609-branch/Source/WebKit/Platform/IPC/Connection.h (258592 => 258593)
--- branches/safari-609-branch/Source/WebKit/Platform/IPC/Connection.h 2020-03-17 21:06:52 UTC (rev 258592)
+++ branches/safari-609-branch/Source/WebKit/Platform/IPC/Connection.h 2020-03-17 21:06:55 UTC (rev 258593)
@@ -76,10 +76,13 @@
InterruptWaitingIfSyncMessageArrives = 1 << 0,
};
-#define MESSAGE_CHECK_BASE(assertion, connection) do \
+#define MESSAGE_CHECK_BASE(assertion, connection) MESSAGE_CHECK_COMPLETION_BASE(assertion, connection, (void)0)
+
+#define MESSAGE_CHECK_COMPLETION_BASE(assertion, connection, completion) do \
if (!(assertion)) { \
ASSERT(assertion); \
(connection)->markCurrentlyDispatchedMessageAsInvalid(); \
+ { completion; } \
return; \
} \
while (0)
Modified: branches/safari-609-branch/Source/WebKit/Platform/SharedMemory.h (258592 => 258593)
--- branches/safari-609-branch/Source/WebKit/Platform/SharedMemory.h 2020-03-17 21:06:52 UTC (rev 258592)
+++ branches/safari-609-branch/Source/WebKit/Platform/SharedMemory.h 2020-03-17 21:06:55 UTC (rev 258593)
@@ -73,6 +73,10 @@
bool isNull() const;
+#if OS(DARWIN) || OS(WINDOWS)
+ size_t size() const { return m_size; }
+#endif
+
void clear();
void encode(IPC::Encoder&) const;
Modified: branches/safari-609-branch/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm (258592 => 258593)
--- branches/safari-609-branch/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm 2020-03-17 21:06:52 UTC (rev 258592)
+++ branches/safari-609-branch/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm 2020-03-17 21:06:55 UTC (rev 258593)
@@ -26,6 +26,7 @@
#import "config.h"
#import "WebPasteboardProxy.h"
+#import "Connection.h"
#import "SandboxExtension.h"
#import "WebProcessProxy.h"
#import <WebCore/Color.h>
@@ -35,6 +36,8 @@
#import <WebCore/SharedBuffer.h>
#import <wtf/URL.h>
+#define MESSAGE_CHECK(assertion, completion) MESSAGE_CHECK_COMPLETION_BASE(assertion, (&connection), completion)
+
namespace WebKit {
using namespace WebCore;
@@ -156,12 +159,16 @@
completionHandler(PlatformPasteboard(pasteboardName).setStringForType(string, pasteboardType));
}
-void WebPasteboardProxy::setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle& handle, uint64_t size, CompletionHandler<void(int64_t)>&& completionHandler)
+void WebPasteboardProxy::setPasteboardBufferForType(IPC::Connection& connection, const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle& handle, uint64_t size, CompletionHandler<void(int64_t)>&& completionHandler)
{
if (handle.isNull())
return completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(0, pasteboardType));
+
+ // SharedMemory::Handle::size() is rounded up to the nearest page.
+ MESSAGE_CHECK(size && size <= handle.size(), completionHandler(0));
+
RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
- auto buffer = SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
+ auto buffer = SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), static_cast<size_t>(size));
completionHandler(PlatformPasteboard(pasteboardName).setBufferForType(buffer.ptr(), pasteboardType));
}
@@ -254,3 +261,5 @@
#endif // PLATFORM(IOS_FAMILY)
} // namespace WebKit
+
+#undef MESSAGE_CHECK
Modified: branches/safari-609-branch/Source/WebKit/UIProcess/WebPasteboardProxy.h (258592 => 258593)
--- branches/safari-609-branch/Source/WebKit/UIProcess/WebPasteboardProxy.h 2020-03-17 21:06:52 UTC (rev 258592)
+++ branches/safari-609-branch/Source/WebKit/UIProcess/WebPasteboardProxy.h 2020-03-17 21:06:55 UTC (rev 258593)
@@ -93,7 +93,7 @@
void setPasteboardURL(IPC::Connection&, const WebCore::PasteboardURL&, const String& pasteboardName, CompletionHandler<void(int64_t)>&&);
void setPasteboardColor(const String&, const WebCore::Color&, CompletionHandler<void(int64_t)>&&);
void setPasteboardStringForType(const String& pasteboardName, const String& pasteboardType, const String&, CompletionHandler<void(int64_t)>&&);
- void setPasteboardBufferForType(const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle&, uint64_t size, CompletionHandler<void(int64_t)>&&);
+ void setPasteboardBufferForType(IPC::Connection&, const String& pasteboardName, const String& pasteboardType, const SharedMemory::Handle&, uint64_t size, CompletionHandler<void(int64_t)>&&);
#endif
void readStringFromPasteboard(size_t index, const String& pasteboardType, const String& pasteboardName, CompletionHandler<void(String&&)>&&);
Modified: branches/safari-609-branch/Source/WebKit/UIProcess/WebPasteboardProxy.messages.in (258592 => 258593)
--- branches/safari-609-branch/Source/WebKit/UIProcess/WebPasteboardProxy.messages.in 2020-03-17 21:06:52 UTC (rev 258592)
+++ branches/safari-609-branch/Source/WebKit/UIProcess/WebPasteboardProxy.messages.in 2020-03-17 21:06:55 UTC (rev 258593)
@@ -56,7 +56,7 @@
SetPasteboardURL(struct WebCore::PasteboardURL pasteboardURL, String pasteboardName) -> (int64_t changeCount) Synchronous WantsConnection
SetPasteboardColor(String pasteboardName, WebCore::Color color) -> (int64_t changeCount) Synchronous
SetPasteboardStringForType(String pasteboardName, String pasteboardType, String string) -> (int64_t changeCount) Synchronous
- SetPasteboardBufferForType(String pasteboardName, String pasteboardType, WebKit::SharedMemory::Handle handle, uint64_t size) -> (int64_t changeCount) Synchronous
+ SetPasteboardBufferForType(String pasteboardName, String pasteboardType, WebKit::SharedMemory::Handle handle, uint64_t size) -> (int64_t changeCount) Synchronous WantsConnection
#endif
#if PLATFORM(GTK)
