Modified: trunk/Source/WTF/ChangeLog (259779 => 259780)
--- trunk/Source/WTF/ChangeLog 2020-04-09 04:01:54 UTC (rev 259779)
+++ trunk/Source/WTF/ChangeLog 2020-04-09 04:33:27 UTC (rev 259780)
@@ -1,3 +1,15 @@
+2020-04-08 David Kilzer <[email protected]>
+
+ WTF::Persistence::VectorCoder and IPC::VectorArgumentCoder should use checked arithmetic
+ <https://webkit.org/b/210227>
+ <rdar://problem/60832243>
+
+ Reviewed by Alex Christensen.
+
+ * wtf/persistence/PersistentCoders.h:
+ (WTF::Persistence::VectorCoder::decode):
+ - Use checked arithemtic for multiplication.
+
2020-04-08 Chris Dumez <[email protected]>
querySelector("#\u0000") should match an element with ID U+FFFD
Modified: trunk/Source/WTF/wtf/persistence/PersistentCoders.h (259779 => 259780)
--- trunk/Source/WTF/wtf/persistence/PersistentCoders.h 2020-04-09 04:01:54 UTC (rev 259779)
+++ trunk/Source/WTF/wtf/persistence/PersistentCoders.h 2020-04-09 04:33:27 UTC (rev 259780)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010, 2014-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,6 +26,7 @@
#pragma once
#include <utility>
+#include <wtf/CheckedArithmetic.h>
#include <wtf/Forward.h>
#include <wtf/HashMap.h>
#include <wtf/HashSet.h>
@@ -170,7 +171,8 @@
Vector<T, inlineCapacity> temp;
temp.grow(size);
- decoder.decodeFixedLengthData(reinterpret_cast<uint8_t*>(temp.data()), size * sizeof(T));
+ Checked<size_t> checkedSize(size);
+ decoder.decodeFixedLengthData(reinterpret_cast<uint8_t*>(temp.data()), (checkedSize * sizeof(T)).unsafeGet());
vector.swap(temp);
return true;
Modified: trunk/Source/WebKit/ChangeLog (259779 => 259780)
--- trunk/Source/WebKit/ChangeLog 2020-04-09 04:01:54 UTC (rev 259779)
+++ trunk/Source/WebKit/ChangeLog 2020-04-09 04:33:27 UTC (rev 259780)
@@ -1,3 +1,16 @@
+2020-04-08 David Kilzer <[email protected]>
+
+ WTF::Persistence::VectorCoder and IPC::VectorArgumentCoder should use checked arithmetic
+ <https://webkit.org/b/210227>
+ <rdar://problem/60832243>
+
+ Reviewed by Alex Christensen.
+
+ * Platform/IPC/ArgumentCoders.h:
+ (IPC::VectorArgumentCoder::decode):
+ - Use safeCast<> to cast from uint64_t to size_t.
+ - Use checked arithemtic for multiplication.
+
2020-04-08 Alexey Proskuryakov <[email protected]>
Fix WebContent process launching after r259758.
Modified: trunk/Source/WebKit/Platform/IPC/ArgumentCoders.h (259779 => 259780)
--- trunk/Source/WebKit/Platform/IPC/ArgumentCoders.h 2020-04-09 04:01:54 UTC (rev 259779)
+++ trunk/Source/WebKit/Platform/IPC/ArgumentCoders.h 2020-04-09 04:33:27 UTC (rev 259780)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -29,6 +29,7 @@
#include "Encoder.h"
#include <utility>
#include <wtf/Box.h>
+#include <wtf/CheckedArithmetic.h>
#include <wtf/Forward.h>
#include <wtf/MonotonicTime.h>
#include <wtf/SHA1.h>
@@ -365,10 +366,12 @@
static bool decode(Decoder& decoder, Vector<T, inlineCapacity, OverflowHandler, minCapacity>& vector)
{
- uint64_t size;
- if (!decoder.decode(size))
+ uint64_t decodedSize;
+ if (!decoder.decode(decodedSize))
return false;
+ auto size = safeCast<size_t>(decodedSize);
+
// Since we know the total size of the elements, we can allocate the vector in
// one fell swoop. Before allocating we must however make sure that the decoder buffer
// is big enough.
@@ -380,7 +383,8 @@
Vector<T, inlineCapacity, OverflowHandler, minCapacity> temp;
temp.grow(size);
- if (!decoder.decodeFixedLengthData(reinterpret_cast<uint8_t*>(temp.data()), size * sizeof(T), alignof(T))) {
+ Checked<size_t> checkedSize(size);
+ if (!decoder.decodeFixedLengthData(reinterpret_cast<uint8_t*>(temp.data()), (checkedSize * sizeof(T)).unsafeGet(), alignof(T))) {
decoder.markInvalid();
return false;
}
@@ -391,10 +395,12 @@
static Optional<Vector<T, inlineCapacity, OverflowHandler, minCapacity>> decode(Decoder& decoder)
{
- uint64_t size;
- if (!decoder.decode(size))
+ uint64_t decodedSize;
+ if (!decoder.decode(decodedSize))
return WTF::nullopt;
-
+
+ auto size = safeCast<size_t>(decodedSize);
+
// Since we know the total size of the elements, we can allocate the vector in
// one fell swoop. Before allocating we must however make sure that the decoder buffer
// is big enough.
@@ -406,7 +412,8 @@
Vector<T, inlineCapacity, OverflowHandler, minCapacity> vector;
vector.grow(size);
- if (!decoder.decodeFixedLengthData(reinterpret_cast<uint8_t*>(vector.data()), size * sizeof(T), alignof(T))) {
+ Checked<size_t> checkedSize(size);
+ if (!decoder.decodeFixedLengthData(reinterpret_cast<uint8_t*>(vector.data()), (checkedSize * sizeof(T)).unsafeGet(), alignof(T))) {
decoder.markInvalid();
return WTF::nullopt;
}
