Title: [258925] branches/safari-609-branch/Source/WebKit
- Revision
- 258925
- Author
- [email protected]
- Date
- 2020-03-24 12:03:08 -0700 (Tue, 24 Mar 2020)
Log Message
Cherry-pick r258814. rdar://problem/60827019
decodeSharedBuffer() in WebCoreArgumentCoders.cpp should validate `bufferSize`
<https://webkit.org/b/209373>
<rdar://problem/60610919>
Reviewed by Darin Adler.
* Shared/WebCoreArgumentCoders.cpp:
(IPC::decodeSharedBuffer):
- Return early if `bufferSize` is too big.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258814 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (258924 => 258925)
--- branches/safari-609-branch/Source/WebKit/ChangeLog 2020-03-24 19:03:03 UTC (rev 258924)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog 2020-03-24 19:03:08 UTC (rev 258925)
@@ -1,33 +1,5 @@
-b'2020-03-24 Russell Epstein <[email protected]>\n\n Cherry-pick r258180. rdar://problem/60827009\n\n [iOS] Replace "unexpectedly resumed" observer with RunningBoard suspendible assertions\n https://bugs.webkit.org/show_bug.cgi?id=205687\n <rdar://problem/57890246>\n \n Reviewed by Tim Horton.\n \n Adopt new RunningBoard process assertion to indicate that WebContent processes depend on their\n UIProcess (and therefore, the UIProcess must be running if the WebContent process is). This\n replaces our "Unexpectedly resumed" assertion which was causing unexpected terminations in some\n cases.\n \n * Configurations/WebKit.xcconfig:\n * Platform/spi/ios/RunningBoardServicesSPI.h: Added.\n * Scripts/process-entitlements.sh:\n * Shared/DependencyProcessAssertion.cpp: Added.\n (WebKit::DependencyProcessAssertion::DependencyProcessAssertion):\n (WebKit::DependencyProcessAssertion::~Depende
ncyProcessAssertion):\n * Shared/DependencyProcessAssertion.h: Added.\n * Shared/ios/DependencyProcessAssertionIOS.mm: Added.\n (WebKit::DependencyProcessAssertion::DependencyProcessAssertion):\n (WebKit::DependencyProcessAssertion::~DependencyProcessAssertion):\n * Sources.txt:\n * SourcesCocoa.txt:\n * UIProcess/Cocoa/WebProcessProxyCocoa.mm:\n * UIProcess/WebProcessProxy.h:\n * UIProcess/WebProcessProxy.messages.in:\n * WebKit.xcodeproj/project.pbxproj:\n * WebProcess/WebProcess.cpp:\n (WebKit::WebProcess::initializeConnection):\n * WebProcess/WebProcess.h:\n * WebProcess/cocoa/WebProcessCocoa.mm:\n \n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258180 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n 2020-03-09 Chris Dumez <[email protected]>\n\n [iOS] Replace "unexpectedly resumed" observer with RunningBoard suspendible assertions\n https://bugs.webkit.org/show_bug.cgi?id=205687\n
<rdar://problem/57890246>\n\n Reviewed by Tim Horton.\n\n Adopt new RunningBoard process assertion to indicate that WebContent processes depend on their\n UIProcess (and therefore, the UIProcess must be running if the WebContent process is). This\n replaces our "Unexpectedly resumed" assertion which was causing unexpected terminations in some\n cases.\n\n * Configurations/WebKit.xcconfig:\n * Platform/spi/ios/RunningBoardServicesSPI.h: Added.\n * Scripts/process-entitlements.sh:\n * Shared/DependencyProcessAssertion.cpp: Added.\n (WebKit::DependencyProcessAssertion::DependencyProcessAssertion):\n (WebKit::DependencyProcessAssertion::~DependencyProcessAssertion):\n * Shared/DependencyProcessAssertion.h: Added.\n * Shared/ios/DependencyProcessAssertionIOS.mm: Added.\n (WebKit::DependencyProcessAssertion::Depe
ndencyProcessAssertion):\n (WebKit::DependencyProcessAssertion::~DependencyProcessAssertion):\n * Sources.txt:\n * SourcesCocoa.txt:\n * UIProcess/Cocoa/WebProcessProxyCocoa.mm:\n * UIProcess/WebProcessProxy.h:\n * UIProcess/WebProcessProxy.messages.in:\n * WebKit.xcodeproj/project.pbxproj:\n * WebProcess/WebProcess.cpp:\n (WebKit::WebProcess::initializeConnection):\n * WebProcess/WebProcess.h:\n * WebProcess/cocoa/WebProcessCocoa.mm:\n\n b\'2020-03-23 Russell Epstein <[email protected]>\\n\\n Cherry-pick r258741. rdar://problem/60756641\\n\\n Sanitize suggested download filename received from web process\\n https://bugs.webkit.org/show_bug.cgi?id=209300\\n <rdar://problem/59487723>\\n \\n Patch by Alex Christensen <[email protected]> on 2020-03-19\\n Reviewed by Chris Dumez.\\n \\n Source/WebKit:\\n
\\n * UIProcess/Downloads/DownloadProxy.cpp:\\n (WebKit::DownloadProxy::decideDestinationWithSuggestedFilenameAsync):\\n \\n LayoutTests:\\n \\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\\n \\n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258741 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n 2020-03-19 Alex Christensen <[email protected]>\\n\\n Sanitize suggested download filename received from web process\\n https://bugs.webkit.org/show_bug.cgi?id=209300\\n <rdar://problem/59487723>\\n\\n Reviewed by Chris Dumez.\\n\\n * UIProcess/Downloads/DownloadProxy.cpp:\\n (WebKit::DownloadProxy::decideDestinationWithSuggestedFilenameAsync):\\n\\n\'2020-03-23 Russell Epstein <[email protected]>\n\n Apply patch. rdar://probl
em/60756683\n 2020-03-23 John Wilander <[email protected]>\n Cherry-pick r258599. rdar://problem/60089022\n 2020-03-17 John Wilander <[email protected]>\n Add quirk for cookie blocking latch mode ymail.com redirecting to yahoo.com under yahoo.com\n https://bugs.webkit.org/show_bug.cgi?id=209193\n <rdar://problem/60089022>\n\n Reviewed by Brent Fulgham.\n\n No new tests. Site-specific quirk tested manually on the site in question.\n * NetworkProcess/cocoa/NetworkDataTaskCocoa.h:\n * NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:\n (WebKit::NetworkDataTaskCocoa::unblockCookies):\n (WebKit::NetworkDataTaskCocoa::needsFirstPartyCookieBlockingLatchModeQuirk const):\n (WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):\n\n Apply patch. rdar://problem/60363244\n\n Crash in com.apple.WebKit.WebContent at WebKit::WebSWClientConnection::scheduleJobInServe
r <rdar://problem/60363244>\n\n Patch by Youenn Fablet <[email protected]> on 2020-03-13\n Reviewed by David Kilzer.\n\n * WebProcess/Storage/WebSWClientConnection.cpp:\n (WebKit::WebSWClientConnection::scheduleJobInServer):\n - Revert branch commit r256687. This RELEASE_ASSERT() was\n removed on trunk as part of r256578 (which was merged to this\n branch in r256680, then added back in r256687).\n\n 2020-03-13 Youenn Fablet <[email protected]>\n\n Crash in com.apple.WebKit.WebContent at WebKit::WebSWClientConnection::scheduleJobInServer\n <rdar://problem/60363244>\n\n Reviewed by David Kilzer.\n\n * WebProcess/Storage/WebSWClientConnection.cpp:\n (WebKit::WebSWClientConnection::scheduleJobInServer):\n - Revert branch commit r256687. This RELEASE_ASSERT() was\n removed on trunk as part of r2565
78 (which was merged to this\n branch in r256680, then added back in r256687).\n\n'2020-03-17 Kocsen Chung <[email protected]>
+b'2020-03-24 Russell Epstein <[email protected]>\n\n Cherry-pick r258814. rdar://problem/60827019\n\n decodeSharedBuffer() in WebCoreArgumentCoders.cpp should validate `bufferSize`\n <https://webkit.org/b/209373>\n <rdar://problem/60610919>\n \n Reviewed by Darin Adler.\n \n * Shared/WebCoreArgumentCoders.cpp:\n (IPC::decodeSharedBuffer):\n - Return early if `bufferSize` is too big.\n \n \n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258814 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n 2020-03-21 David Kilzer <[email protected]>\n\n decodeSharedBuffer() in WebCoreArgumentCoders.cpp should validate `bufferSize`\n <https://webkit.org/b/209373>\n <rdar://problem/60610919>\n\n Reviewed by Darin Adler.\n\n * Shared/WebCoreArgumentCoders.cpp:\n (IPC::decodeSharedBuffer):\n - Return early if `bufferSize` is
too big.\n\n b\'2020-03-24 Russell Epstein <[email protected]>\\n\\n Cherry-pick r258180. rdar://problem/60827009\\n\\n [iOS] Replace "unexpectedly resumed" observer with RunningBoard suspendible assertions\\n https://bugs.webkit.org/show_bug.cgi?id=205687\\n <rdar://problem/57890246>\\n \\n Reviewed by Tim Horton.\\n \\n Adopt new RunningBoard process assertion to indicate that WebContent processes depend on their\\n UIProcess (and therefore, the UIProcess must be running if the WebContent process is). This\\n replaces our "Unexpectedly resumed" assertion which was causing unexpected terminations in some\\n cases.\\n \\n * Configurations/WebKit.xcconfig:\\n * Platform/spi/ios/RunningBoardServicesSPI.h: Added.\\n * Scripts/process-entitlements.sh:\\n * Shared/DependencyProcessAssertion.cpp: Added.\\n (WebKit::DependencyProcessAssertion::DependencyProcessAssertion):\\n (WebKit::Dependency
ProcessAssertion::~DependencyProcessAssertion):\\n * Shared/DependencyProcessAssertion.h: Added.\\n * Shared/ios/DependencyProcessAssertionIOS.mm: Added.\\n (WebKit::DependencyProcessAssertion::DependencyProcessAssertion):\\n (WebKit::DependencyProcessAssertion::~DependencyProcessAssertion):\\n * Sources.txt:\\n * SourcesCocoa.txt:\\n * UIProcess/Cocoa/WebProcessProxyCocoa.mm:\\n * UIProcess/WebProcessProxy.h:\\n * UIProcess/WebProcessProxy.messages.in:\\n * WebKit.xcodeproj/project.pbxproj:\\n * WebProcess/WebProcess.cpp:\\n (WebKit::WebProcess::initializeConnection):\\n * WebProcess/WebProcess.h:\\n * WebProcess/cocoa/WebProcessCocoa.mm:\\n \\n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258180 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n 2020-03-09 Chris Dumez <[email protected]>\\n\\n [iOS] Replace "unexpectedly resumed" observer with RunningBoard suspendible assertions\\n http
s://bugs.webkit.org/show_bug.cgi?id=205687\\n <rdar://problem/57890246>\\n\\n Reviewed by Tim Horton.\\n\\n Adopt new RunningBoard process assertion to indicate that WebContent processes depend on their\\n UIProcess (and therefore, the UIProcess must be running if the WebContent process is). This\\n replaces our "Unexpectedly resumed" assertion which was causing unexpected terminations in some\\n cases.\\n\\n * Configurations/WebKit.xcconfig:\\n * Platform/spi/ios/RunningBoardServicesSPI.h: Added.\\n * Scripts/process-entitlements.sh:\\n * Shared/DependencyProcessAssertion.cpp: Added.\\n (WebKit::DependencyProcessAssertion::DependencyProcessAssertion):\\n (WebKit::DependencyProcessAssertion::~DependencyProcessAssertion):\\n * Shared/DependencyProcessAssertion.h: Added.\\n * Shared/ios/DependencyProcessAssertionIOS.m
m: Added.\\n (WebKit::DependencyProcessAssertion::DependencyProcessAssertion):\\n (WebKit::DependencyProcessAssertion::~DependencyProcessAssertion):\\n * Sources.txt:\\n * SourcesCocoa.txt:\\n * UIProcess/Cocoa/WebProcessProxyCocoa.mm:\\n * UIProcess/WebProcessProxy.h:\\n * UIProcess/WebProcessProxy.messages.in:\\n * WebKit.xcodeproj/project.pbxproj:\\n * WebProcess/WebProcess.cpp:\\n (WebKit::WebProcess::initializeConnection):\\n * WebProcess/WebProcess.h:\\n * WebProcess/cocoa/WebProcessCocoa.mm:\\n\\n b\\\'2020-03-23 Russell Epstein <[email protected]>\\\\n\\\\n Cherry-pick r258741. rdar://problem/60756641\\\\n\\\\n Sanitize suggested download filename received from web process\\\\n https://bugs.webkit.org/show_bug.cgi?id=209300\\\\n <rdar://problem/59487723>\\\\n \\\\n Patch by Alex Christensen <achristense
[email protected]> on 2020-03-19\\\\n Reviewed by Chris Dumez.\\\\n \\\\n Source/WebKit:\\\\n \\\\n * UIProcess/Downloads/DownloadProxy.cpp:\\\\n (WebKit::DownloadProxy::decideDestinationWithSuggestedFilenameAsync):\\\\n \\\\n LayoutTests:\\\\n \\\\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\\\\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\\\\n \\\\n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258741 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\\\n\\\\n 2020-03-19 Alex Christensen <[email protected]>\\\\n\\\\n Sanitize suggested download filename received from web process\\\\n https://bugs.webkit.org/show_bug.cgi?id=209300\\\\n <rdar://problem/59487723>\\\\n\\\\n Reviewed by Chris Dumez.\\\\n\\\\n * UIProcess/Downloads/DownloadProxy.cpp:\\\\n (WebKit::DownloadProxy::deci
deDestinationWithSuggestedFilenameAsync):\\\\n\\\\n\\\'2020-03-23 Russell Epstein <[email protected]>\\n\\n Apply patch. rdar://problem/60756683\\n 2020-03-23 John Wilander <[email protected]>\\n Cherry-pick r258599. rdar://problem/60089022\\n 2020-03-17 John Wilander <[email protected]>\\n Add quirk for cookie blocking latch mode ymail.com redirecting to yahoo.com under yahoo.com\\n https://bugs.webkit.org/show_bug.cgi?id=209193\\n <rdar://problem/60089022>\\n\\n Reviewed by Brent Fulgham.\\n\\n No new tests. Site-specific quirk tested manually on the site in question.\\n * NetworkProcess/cocoa/NetworkDataTaskCocoa.h:\\n * NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:\\n (WebKit::NetworkDataTaskCocoa::unblockCookies):\\n (WebKit::NetworkDataTaskCocoa::needsFirstPartyCookieBlockingLatchModeQuirk const):\\n (WebKit::NetworkDataTaskCocoa::willPerformHTT
PRedirection):\\n\\n Apply patch. rdar://problem/60363244\\n\\n Crash in com.apple.WebKit.WebContent at WebKit::WebSWClientConnection::scheduleJobInServer <rdar://problem/60363244>\\n\\n Patch by Youenn Fablet <[email protected]> on 2020-03-13\\n Reviewed by David Kilzer.\\n\\n * WebProcess/Storage/WebSWClientConnection.cpp:\\n (WebKit::WebSWClientConnection::scheduleJobInServer):\\n - Revert branch commit r256687. This RELEASE_ASSERT() was\\n removed on trunk as part of r256578 (which was merged to this\\n branch in r256680, then added back in r256687).\\n\\n 2020-03-13 Youenn Fablet <[email protected]>\\n\\n Crash in com.apple.WebKit.WebContent at WebKit::WebSWClientConnection::scheduleJobInServer\\n <rdar://problem/60363244>\\n\\n Reviewed by David Kilzer.\\n\\n * WebProcess/Storage/WebSWClientConnection.cpp:\\n
(WebKit::WebSWClientConnection::scheduleJobInServer):\\n - Revert branch commit r256687. This RELEASE_ASSERT() was\\n removed on trunk as part of r256578 (which was merged to this\\n branch in r256680, then added back in r256687).\\n\\n\'2020-03-17 Kocsen Chung <[email protected]>\n\n Apply patch. rdar://problem/60500511\n\n 2020-03-17 David Kilzer <[email protected]>\n\n Cherry-pick r258507. rdar://problem/60500511\n\n 2020-03-16 David Kilzer <[email protected]>\n\n WebPage::GetDataSelectionForPasteboard should validate its `size` variable\n <https://webkit.org/b/209092>\n <rdar://problem/60181345>\n\n Reviewed by Brent Fulgham.\n\n * Platform/IPC/Connection.h:\n (MESSAGE_CHECK_WITH_RETURN_VALUE_BASE): Add.\n - Variant of MESSAGE_CHECK_
BASE() that takes a return value.\n * UIProcess/mac/WebPageProxyMac.mm:\n (MESSAGE_CHECK_WITH_RETURN_VALUE): Add.\n (WebKit::WebPageProxy::dataSelectionForPasteboard):\n - Use new MESSAGE_CHECK_WITH_RETURN_VALUE() macro to update\n check for handle.isNull() and to add check for `size`\n variable.\n - Add static_cast<size_t>() to `size` variable to denote type\n change.\n\n'2020-03-17 Alan Coon <[email protected]>
- Apply patch. rdar://problem/60500511
-
- 2020-03-17 David Kilzer <[email protected]>
-
- Cherry-pick r258507. rdar://problem/60500511
-
- 2020-03-16 David Kilzer <[email protected]>
-
- WebPage::GetDataSelectionForPasteboard should validate its `size` variable
- <https://webkit.org/b/209092>
- <rdar://problem/60181345>
-
- Reviewed by Brent Fulgham.
-
- * Platform/IPC/Connection.h:
- (MESSAGE_CHECK_WITH_RETURN_VALUE_BASE): Add.
- - Variant of MESSAGE_CHECK_BASE() that takes a return value.
- * UIProcess/mac/WebPageProxyMac.mm:
- (MESSAGE_CHECK_WITH_RETURN_VALUE): Add.
- (WebKit::WebPageProxy::dataSelectionForPasteboard):
- - Use new MESSAGE_CHECK_WITH_RETURN_VALUE() macro to update
- check for handle.isNull() and to add check for `size`
- variable.
- - Add static_cast<size_t>() to `size` variable to denote type
- change.
-
-2020-03-17 Alan Coon <[email protected]>
-
Apply patch. rdar://problem/60433244
2020-03-17 David Kilzer <[email protected]>
Modified: branches/safari-609-branch/Source/WebKit/Shared/WebCoreArgumentCoders.cpp (258924 => 258925)
--- branches/safari-609-branch/Source/WebKit/Shared/WebCoreArgumentCoders.cpp 2020-03-24 19:03:03 UTC (rev 258924)
+++ branches/safari-609-branch/Source/WebKit/Shared/WebCoreArgumentCoders.cpp 2020-03-24 19:03:08 UTC (rev 258925)
@@ -145,6 +145,10 @@
if (!decoder.decode(handle))
return false;
+ // SharedMemory::Handle::size() is rounded up to the nearest page.
+ if (bufferSize > handle.size())
+ return false;
+
auto sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
buffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryBuffer->data()), bufferSize);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
