Skip to site navigation (Press enter)

[webkit-changes] [258675] trunk/Source/WebKit

Hironori . Fujii Wed, 18 Mar 2020 20:00:13 -0700

Title: [258675] trunk/Source/WebKit

Revision: 258675
Author: [email protected]
Date: 2020-03-18 19:58:33 -0700 (Wed, 18 Mar 2020)

Log Message

WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers
https://bugs.webkit.org/show_bug.cgi?id=209219


Reviewed by Darin Adler.

* Shared/WebCoreArgumentCoders.cpp:
(IPC::decodeSharedBuffer): Added checking of bufferIsLargeEnoughToContain.
(IPC::decodeTypesAndData): Don't allocate a buffer with the
decoded size. bufferIsLargeEnoughToContain can't be used in this
case because SharedBuffer is encoded as variable length data.
Instead, append items one-by-one.

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (258674 => 258675)


--- trunk/Source/WebKit/ChangeLog	2020-03-19 02:27:56 UTC (rev 258674)
+++ trunk/Source/WebKit/ChangeLog	2020-03-19 02:58:33 UTC (rev 258675)
@@ -1,3 +1,17 @@
+2020-03-18  Fujii Hironori  <[email protected]>
+
+        WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers
+        https://bugs.webkit.org/show_bug.cgi?id=209219
+
+        Reviewed by Darin Adler.
+
+        * Shared/WebCoreArgumentCoders.cpp:
+        (IPC::decodeSharedBuffer): Added checking of bufferIsLargeEnoughToContain.
+        (IPC::decodeTypesAndData): Don't allocate a buffer with the
+        decoded size. bufferIsLargeEnoughToContain can't be used in this
+        case because SharedBuffer is encoded as variable length data.
+        Instead, append items one-by-one.
+
 2020-03-18  John Wilander  <[email protected]>
 
         WebResourceLoadStatisticsStore::requestStorageAccessUnderOpener() should call its ephemeral counterpart when appropriate

Modified: trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp (258674 => 258675)


--- trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp	2020-03-19 02:27:56 UTC (rev 258674)
+++ trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp	2020-03-19 02:58:33 UTC (rev 258675)
@@ -155,6 +155,9 @@
         return true;
 
 #if USE(UNIX_DOMAIN_SOCKETS)
+    if (!decoder.bufferIsLargeEnoughToContain<uint8_t>(bufferSize))
+        return false;
+
     Vector<uint8_t> data;
     data.grow(bufferSize);
     if (!decoder.decodeFixedLengthData(data.data(), data.size(), 1))
@@ -193,9 +196,12 @@
 
     ASSERT(dataSize == types.size());
 
-    data.resize(dataSize);
-    for (auto& buffer : data)
-        decodeSharedBuffer(decoder, buffer);
+    for (uint64_t i = 0; i < dataSize; i++) {
+        RefPtr<SharedBuffer> buffer;
+        if (!decodeSharedBuffer(decoder, buffer))
+            return false;
+        data.append(WTFMove(buffer));
+    }
 
     return true;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes