[webkit-changes] [259528] trunk/Source/WebKit

Fri, 03 Apr 2020 22:23:24 -0700

Title: [259528] trunk/Source/WebKit
Revision
259528
Author
[email protected]
Date
2020-04-03 22:22:32 -0700 (Fri, 03 Apr 2020)

Log Message

WebPlatformStrategies::{readBufferFromPasteboard,bufferForType} should validate their `size` parameter
<https://webkit.org/b/209997>
<rdar://problem/60890565>

Reviewed by Wenson Hsieh.

* WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
(WebKit::WebPlatformStrategies::bufferForType):
(WebKit::WebPlatformStrategies::readBufferFromPasteboard):
- Validate the `size` parameter.

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (259527 => 259528)


--- trunk/Source/WebKit/ChangeLog	2020-04-04 05:06:20 UTC (rev 259527)
+++ trunk/Source/WebKit/ChangeLog	2020-04-04 05:22:32 UTC (rev 259528)
@@ -1,3 +1,16 @@
+2020-04-03  David Kilzer  <[email protected]>
+
+        WebPlatformStrategies::{readBufferFromPasteboard,bufferForType} should validate their `size` parameter
+        <https://webkit.org/b/209997>
+        <rdar://problem/60890565>
+
+        Reviewed by Wenson Hsieh.
+
+        * WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
+        (WebKit::WebPlatformStrategies::bufferForType):
+        (WebKit::WebPlatformStrategies::readBufferFromPasteboard):
+        - Validate the `size` parameter.
+
 2020-04-03  Wenson Hsieh  <[email protected]>
 
         The IPC message “registerAttachmentsFromSerializedData" should be capitalized

Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp (259527 => 259528)


--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp	2020-04-04 05:06:20 UTC (rev 259527)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp	2020-04-04 05:22:32 UTC (rev 259528)
@@ -136,6 +136,9 @@
     WebProcess::singleton().parentProcessConnection()->sendSync(Messages::WebPasteboardProxy::GetPasteboardBufferForType(pasteboardName, pasteboardType), Messages::WebPasteboardProxy::GetPasteboardBufferForType::Reply(handle, size), 0);
     if (handle.isNull())
         return nullptr;
+    // SharedMemory::Handle::size() is rounded up to the nearest page.
+    if (!size || size > handle.size())
+        return nullptr;
     RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
     return SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
 }
@@ -377,6 +380,14 @@
     WebProcess::singleton().parentProcessConnection()->sendSync(Messages::WebPasteboardProxy::ReadBufferFromPasteboard(index, pasteboardType, pasteboardName), Messages::WebPasteboardProxy::ReadBufferFromPasteboard::Reply(handle, size), 0);
     if (handle.isNull())
         return nullptr;
+#if OS(DARWIN) || OS(WINDOWS)
+    // SharedMemory::Handle::size() is rounded up to the nearest page.
+    if (!size || size > handle.size())
+        return nullptr;
+#else
+    if (!size)
+        return nullptr;
+#endif
     RefPtr<SharedMemory> sharedMemoryBuffer = SharedMemory::map(handle, SharedMemory::Protection::ReadOnly);
     return SharedBuffer::create(static_cast<unsigned char *>(sharedMemoryBuffer->data()), size);
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to