Title: [258814] trunk/Source/WebKit
- Revision
- 258814
- Author
- [email protected]
- Date
- 2020-03-21 18:31:25 -0700 (Sat, 21 Mar 2020)
Log Message
decodeSharedBuffer() in WebCoreArgumentCoders.cpp should validate `bufferSize`
<https://webkit.org/b/209373>
<rdar://problem/60610919>
Reviewed by Darin Adler.
* Shared/WebCoreArgumentCoders.cpp:
(IPC::decodeSharedBuffer):
- Return early if `bufferSize` is too big.
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (258813 => 258814)
--- trunk/Source/WebKit/ChangeLog 2020-03-21 19:10:43 UTC (rev 258813)
+++ trunk/Source/WebKit/ChangeLog 2020-03-22 01:31:25 UTC (rev 258814)
@@ -1,3 +1,15 @@
+2020-03-21 David Kilzer <[email protected]>
+
+ decodeSharedBuffer() in WebCoreArgumentCoders.cpp should validate `bufferSize`
+ <https://webkit.org/b/209373>
+ <rdar://problem/60610919>
+
+ Reviewed by Darin Adler.
+
+ * Shared/WebCoreArgumentCoders.cpp:
+ (IPC::decodeSharedBuffer):
+ - Return early if `bufferSize` is too big.
+
2020-03-20 Wenson Hsieh <[email protected]>
[iPadOS] Yahoo! search results are sometimes zoomed in a little
Modified: trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp (258813 => 258814)
--- trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp 2020-03-21 19:10:43 UTC (rev 258813)
+++ trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp 2020-03-22 01:31:25 UTC (rev 258814)
@@ -169,6 +169,10 @@
if (!decoder.decode(handle))
return false;
+ // SharedMemory::Handle::size() is rounded up to the nearest page.
+ if (bufferSize > handle.size())
+ return false;
+
auto sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
buffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryBuffer->data()), bufferSize);
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
