[webkit-changes] [259496] branches/safari-609.2.1.2-branch/Source/WebKit

Fri, 03 Apr 2020 12:58:45 -0700

Title: [259496] branches/safari-609.2.1.2-branch/Source/WebKit
Revision
259496
Author
[email protected]
Date
2020-04-03 12:58:02 -0700 (Fri, 03 Apr 2020)

Log Message

Cherry-pick r258814. rdar://problem/61231972

    decodeSharedBuffer() in WebCoreArgumentCoders.cpp should validate `bufferSize`
    <https://webkit.org/b/209373>
    <rdar://problem/60610919>

    Reviewed by Darin Adler.

    * Shared/WebCoreArgumentCoders.cpp:
    (IPC::decodeSharedBuffer):
    - Return early if `bufferSize` is too big.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258814 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog (259495 => 259496)


--- branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog	2020-04-03 19:57:59 UTC (rev 259495)
+++ branches/safari-609.2.1.2-branch/Source/WebKit/ChangeLog	2020-04-03 19:58:02 UTC (rev 259496)
@@ -1,5 +1,34 @@
 2020-04-03  Alan Coon  <[email protected]>
 
+        Cherry-pick r258814. rdar://problem/61231972
+
+    decodeSharedBuffer() in WebCoreArgumentCoders.cpp should validate `bufferSize`
+    <https://webkit.org/b/209373>
+    <rdar://problem/60610919>
+    
+    Reviewed by Darin Adler.
+    
+    * Shared/WebCoreArgumentCoders.cpp:
+    (IPC::decodeSharedBuffer):
+    - Return early if `bufferSize` is too big.
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258814 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-03-21  David Kilzer  <[email protected]>
+
+            decodeSharedBuffer() in WebCoreArgumentCoders.cpp should validate `bufferSize`
+            <https://webkit.org/b/209373>
+            <rdar://problem/60610919>
+
+            Reviewed by Darin Adler.
+
+            * Shared/WebCoreArgumentCoders.cpp:
+            (IPC::decodeSharedBuffer):
+            - Return early if `bufferSize` is too big.
+
+2020-04-03  Alan Coon  <[email protected]>
+
         Cherry-pick r258741. rdar://problem/61231885
 
     Sanitize suggested download filename received from web process

Modified: branches/safari-609.2.1.2-branch/Source/WebKit/Shared/WebCoreArgumentCoders.cpp (259495 => 259496)


--- branches/safari-609.2.1.2-branch/Source/WebKit/Shared/WebCoreArgumentCoders.cpp	2020-04-03 19:57:59 UTC (rev 259495)
+++ branches/safari-609.2.1.2-branch/Source/WebKit/Shared/WebCoreArgumentCoders.cpp	2020-04-03 19:58:02 UTC (rev 259496)
@@ -145,6 +145,10 @@
     if (!decoder.decode(handle))
         return false;
 
+    // SharedMemory::Handle::size() is rounded up to the nearest page.
+    if (bufferSize > handle.size())
+        return false;
+
     auto sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
     buffer = SharedBuffer::create(static_cast<unsigned char*>(sharedMemoryBuffer->data()), bufferSize);
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to