[webkit-changes] [259489] branches/safari-609.2.1.2-branch/Source/WebKit

Fri, 03 Apr 2020 12:58:25 -0700

Title: [259489] branches/safari-609.2.1.2-branch/Source/WebKit
Revision
259489
Author
[email protected]
Date
2020-04-03 12:57:40 -0700 (Fri, 03 Apr 2020)

Log Message

Cherry-pick r258401. rdar://problem/61231940

    WebPageProxy::SetPromisedDataForImage should validate its `imageSize` and `archiveSize` parameters
    <https://webkit.org/b/209029>
    <rdar://problem/60181394>

    Reviewed by Youenn Fablet.

    * UIProcess/mac/WebPageProxyMac.mm:
    (WebKit::WebPageProxy::setPromisedDataForImage):
    - Validate `imageSize` and `archiveSize` using MESSAGE_CHECK().
    - Add static_cast<size_t>() to `imageSize` and `archiveSize`
      parameters to denote type change.
    - Add nullptr check for SharedMemory::map() result with
      `archiveHandle`.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258401 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog (259488 => 259489)


--- branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog	2020-04-03 19:57:38 UTC (rev 259488)
+++ branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog	2020-04-03 19:57:40 UTC (rev 259489)
@@ -1,5 +1,41 @@
 2020-04-03  Alan Coon  <[email protected]>
 
+        Cherry-pick r258401. rdar://problem/61231940
+
+    WebPageProxy::SetPromisedDataForImage should validate its `imageSize` and `archiveSize` parameters
+    <https://webkit.org/b/209029>
+    <rdar://problem/60181394>
+    
+    Reviewed by Youenn Fablet.
+    
+    * UIProcess/mac/WebPageProxyMac.mm:
+    (WebKit::WebPageProxy::setPromisedDataForImage):
+    - Validate `imageSize` and `archiveSize` using MESSAGE_CHECK().
+    - Add static_cast<size_t>() to `imageSize` and `archiveSize`
+      parameters to denote type change.
+    - Add nullptr check for SharedMemory::map() result with
+      `archiveHandle`.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258401 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-03-13  David Kilzer  <[email protected]>
+
+            WebPageProxy::SetPromisedDataForImage should validate its `imageSize` and `archiveSize` parameters
+            <https://webkit.org/b/209029>
+            <rdar://problem/60181394>
+
+            Reviewed by Youenn Fablet.
+
+            * UIProcess/mac/WebPageProxyMac.mm:
+            (WebKit::WebPageProxy::setPromisedDataForImage):
+            - Validate `imageSize` and `archiveSize` using MESSAGE_CHECK().
+            - Add static_cast<size_t>() to `imageSize` and `archiveSize`
+              parameters to denote type change.
+            - Add nullptr check for SharedMemory::map() result with
+              `archiveHandle`.
+
+2020-04-03  Alan Coon  <[email protected]>
+
         Cherry-pick r254724. rdar://problem/61231960
 
     IPC hardening for WebPageProxy::SetPromisedDataForImage message

Modified: branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm (259488 => 259489)


--- branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm	2020-04-03 19:57:38 UTC (rev 259488)
+++ branches/safari-609.2.1.2-branch/Source/WebKit/UIProcess/mac/WebPageProxyMac.mm	2020-04-03 19:57:40 UTC (rev 259489)
@@ -315,17 +315,23 @@
     MESSAGE_CHECK_URL(url);
     MESSAGE_CHECK_URL(visibleURL);
     MESSAGE_CHECK(!imageHandle.isNull());
+    // SharedMemory::Handle::size() is rounded up to the nearest page.
+    MESSAGE_CHECK(imageSize && imageSize <= imageHandle.size());
 
-    RefPtr<SharedMemory> sharedMemoryImage = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
+    auto sharedMemoryImage = SharedMemory::map(imageHandle, SharedMemory::Protection::ReadOnly);
     if (!sharedMemoryImage)
         return;
 
-    auto imageBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryImage->data()), imageSize);
+    auto imageBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryImage->data()), static_cast<size_t>(imageSize));
     RefPtr<SharedBuffer> archiveBuffer;
-    
+
     if (!archiveHandle.isNull()) {
-        RefPtr<SharedMemory> sharedMemoryArchive = SharedMemory::map(archiveHandle, SharedMemory::Protection::ReadOnly);
-        archiveBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryArchive->data()), archiveSize);
+        // SharedMemory::Handle::size() is rounded up to the nearest page.
+        MESSAGE_CHECK(archiveSize && archiveSize <= archiveHandle.size());
+        auto sharedMemoryArchive = SharedMemory::map(archiveHandle, SharedMemory::Protection::ReadOnly);
+        if (!sharedMemoryArchive)
+            return;
+        archiveBuffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryArchive->data()), static_cast<size_t>(archiveSize));
     }
     pageClient().setPromisedDataForImage(pasteboardName, WTFMove(imageBuffer), filename, extension, title, url, visibleURL, WTFMove(archiveBuffer));
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to