Skip to site navigation (Press enter)

[webkit-changes] [258602] trunk/Source/WebKit

jiewen_tan Tue, 17 Mar 2020 15:05:41 -0700

Title: [258602] trunk/Source/WebKit

Revision: 258602
Author: [email protected]
Date: 2020-03-17 15:04:48 -0700 (Tue, 17 Mar 2020)

Log Message

WebKit::LocalAuthenticator::deleteDuplicateCredential() should check buffer size before memcmp
https://bugs.webkit.org/show_bug.cgi?id=209156
<rdar://problem/60444655>


Reviewed by Alex Christensen.

Covered by existing tests.

* UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
(WebKit::LocalAuthenticator::deleteDuplicateCredential const):

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (258601 => 258602)


--- trunk/Source/WebKit/ChangeLog	2020-03-17 21:56:33 UTC (rev 258601)
+++ trunk/Source/WebKit/ChangeLog	2020-03-17 22:04:48 UTC (rev 258602)
@@ -1,3 +1,16 @@
+2020-03-17  Jiewen Tan  <[email protected]>
+
+        WebKit::LocalAuthenticator::deleteDuplicateCredential() should check buffer size before memcmp
+        https://bugs.webkit.org/show_bug.cgi?id=209156
+        <rdar://problem/60444655>
+
+        Reviewed by Alex Christensen.
+
+        Covered by existing tests.
+
+        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
+        (WebKit::LocalAuthenticator::deleteDuplicateCredential const):
+
 2020-03-17  Kate Cheney  <[email protected]>
 
        Add internal debugging when initializing an app-bound session

Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm (258601 => 258602)


--- trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm	2020-03-17 21:56:33 UTC (rev 258601)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm	2020-03-17 22:04:48 UTC (rev 258602)
@@ -567,6 +567,8 @@
     m_existingCredentials.findMatching([creationOptions] (auto& credential) {
         auto* userHandle = credential->userHandle();
         ASSERT(userHandle);
+        if (userHandle->byteLength() != creationOptions.user.idVector.size())
+            return false;
         if (memcmp(userHandle->data(), creationOptions.user.idVector.data(), userHandle->byteLength()))
             return false;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes