Title: [260216] trunk/Source/WebKit
- Revision
- 260216
- Author
- [email protected]
- Date
- 2020-04-16 13:13:01 -0700 (Thu, 16 Apr 2020)
Log Message
Rollout: [IPC Hardening] MachMessage::create() should use checked arithmetic
<https://webkit.org/b/210572>
<rdar://problem/61729947>
Unreviewed rollout of r260160.
Appears to have caused 8 API test failures on iOS.
* Platform/IPC/cocoa/ConnectionCocoa.mm:
(IPC::Connection::sendOutgoingMessage):
* Platform/IPC/cocoa/MachMessage.cpp:
(IPC::MachMessage::create):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (260215 => 260216)
--- trunk/Source/WebKit/ChangeLog 2020-04-16 20:02:43 UTC (rev 260215)
+++ trunk/Source/WebKit/ChangeLog 2020-04-16 20:13:01 UTC (rev 260216)
@@ -1,3 +1,18 @@
+2020-04-16 David Kilzer <[email protected]>
+
+ Rollout: [IPC Hardening] MachMessage::create() should use checked arithmetic
+ <https://webkit.org/b/210572>
+ <rdar://problem/61729947>
+
+ Unreviewed rollout of r260160.
+
+ Appears to have caused 8 API test failures on iOS.
+
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::Connection::sendOutgoingMessage):
+ * Platform/IPC/cocoa/MachMessage.cpp:
+ (IPC::MachMessage::create):
+
2020-04-16 Brent Fulgham <[email protected]>
REGRESSION(r260081) Broke iOS PLT due to InjectedBundle initialization (edit)
Modified: trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm (260215 => 260216)
--- trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-04-16 20:02:43 UTC (rev 260215)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-04-16 20:13:01 UTC (rev 260216)
@@ -309,8 +309,6 @@
size_t safeMessageSize = messageSize.unsafeGet();
auto message = MachMessage::create(encoder->messageReceiverName().toString(), encoder->messageName().toString(), safeMessageSize);
- if (!message)
- return false;
auto* header = message->header();
header->msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
Modified: trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp (260215 => 260216)
--- trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp 2020-04-16 20:02:43 UTC (rev 260215)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/MachMessage.cpp 2020-04-16 20:13:01 UTC (rev 260216)
@@ -41,10 +41,7 @@
std::unique_ptr<MachMessage> MachMessage::create(CString&& messageReceiverName, CString&& messageName, size_t size)
{
- auto bufferSize = CheckedSize(sizeof(MachMessage)) + size;
- if (bufferSize.hasOverflowed())
- return nullptr;
- void* memory = WTF::fastZeroedMalloc(bufferSize.unsafeGet());
+ void* memory = WTF::fastZeroedMalloc(sizeof(MachMessage) + size);
return std::unique_ptr<MachMessage> { new (NotNull, memory) MachMessage { WTFMove(messageReceiverName), WTFMove(messageName), size } };
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
