Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (258596 => 258597)
--- branches/safari-609-branch/Source/WebKit/ChangeLog 2020-03-17 21:07:03 UTC (rev 258596)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog 2020-03-17 21:07:06 UTC (rev 258597)
@@ -1,3 +1,31 @@
+2020-03-17 Kocsen Chung <[email protected]>
+
+ Apply patch. rdar://problem/60500511
+
+ 2020-03-17 David Kilzer <[email protected]>
+
+ Cherry-pick r258507. rdar://problem/60500511
+
+ 2020-03-16 David Kilzer <[email protected]>
+
+ WebPage::GetDataSelectionForPasteboard should validate its `size` variable
+ <https://webkit.org/b/209092>
+ <rdar://problem/60181345>
+
+ Reviewed by Brent Fulgham.
+
+ * Platform/IPC/Connection.h:
+ (MESSAGE_CHECK_WITH_RETURN_VALUE_BASE): Add.
+ - Variant of MESSAGE_CHECK_BASE() that takes a return value.
+ * UIProcess/mac/WebPageProxyMac.mm:
+ (MESSAGE_CHECK_WITH_RETURN_VALUE): Add.
+ (WebKit::WebPageProxy::dataSelectionForPasteboard):
+ - Use new MESSAGE_CHECK_WITH_RETURN_VALUE() macro to update
+ check for handle.isNull() and to add check for `size`
+ variable.
+ - Add static_cast<size_t>() to `size` variable to denote type
+ change.
+
2020-03-17 Alan Coon <[email protected]>
Apply patch. rdar://problem/60433244
Modified: branches/safari-609-branch/Source/WebKit/Platform/IPC/Connection.h (258596 => 258597)
--- branches/safari-609-branch/Source/WebKit/Platform/IPC/Connection.h 2020-03-17 21:07:03 UTC (rev 258596)
+++ branches/safari-609-branch/Source/WebKit/Platform/IPC/Connection.h 2020-03-17 21:07:06 UTC (rev 258597)
@@ -87,6 +87,14 @@
} \
while (0)
+#define MESSAGE_CHECK_WITH_RETURN_VALUE_BASE(assertion, connection, returnValue) do \
+ if (!(assertion)) { \
+ ASSERT(assertion); \
+ (connection)->markCurrentlyDispatchedMessageAsInvalid(); \
+ return (returnValue); \
+ } \
+while (0)
+
template<typename AsyncReplyResult> struct AsyncReplyError {
static AsyncReplyResult create() { return { }; };
};
Modified: branches/safari-609-branch/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm (258596 => 258597)
--- branches/safari-609-branch/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm 2020-03-17 21:07:03 UTC (rev 258596)
+++ branches/safari-609-branch/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm 2020-03-17 21:07:06 UTC (rev 258597)
@@ -31,6 +31,7 @@
#import "APIUIClient.h"
#import "AttributedString.h"
#import "ColorSpaceData.h"
+#import "Connection.h"
#import "DataReference.h"
#import "EditorState.h"
#import "FontInfo.h"
@@ -67,6 +68,7 @@
#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, process().connection())
#define MESSAGE_CHECK_URL(url) MESSAGE_CHECK_BASE(checkURLReceivedFromCurrentOrPreviousWebProcess(m_process, url), m_process->connection())
+#define MESSAGE_CHECK_WITH_RETURN_VALUE(assertion, returnValue) MESSAGE_CHECK_WITH_RETURN_VALUE_BASE(assertion, process().connection(), returnValue)
@interface NSApplication ()
- (BOOL)isSpeaking;
@@ -283,10 +285,12 @@
const Seconds messageTimeout(20);
process().sendSync(Messages::WebPage::GetDataSelectionForPasteboard(pasteboardType),
Messages::WebPage::GetDataSelectionForPasteboard::Reply(handle, size), m_webPageID, messageTimeout);
- if (handle.isNull())
- return nullptr;
- RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
- return SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
+ MESSAGE_CHECK_WITH_RETURN_VALUE(!handle.isNull(), nullptr);
+ // SharedMemory::Handle::size() is rounded up to the nearest page.
+ MESSAGE_CHECK_WITH_RETURN_VALUE(size <= handle.size(), nullptr);
+
+ auto sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
+ return SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), static_cast<size_t>(size));
}
bool WebPageProxy::readSelectionFromPasteboard(const String& pasteboardName)
