Title: [261024] trunk/Source/WebKit
- Revision
- 261024
- Author
- [email protected]
- Date
- 2020-05-01 14:59:07 -0700 (Fri, 01 May 2020)
Log Message
[IPC hardening] createMessageDecoder() needs a validity check
<https://webkit.org/b/211260>
<rdar://problem/61914087>
Reviewed by Darin Adler.
* Platform/IPC/cocoa/ConnectionCocoa.mm:
(IPC::createMessageDecoder):
- Add validity check and early return for
`numDescriptors`.
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (261023 => 261024)
--- trunk/Source/WebKit/ChangeLog 2020-05-01 21:52:48 UTC (rev 261023)
+++ trunk/Source/WebKit/ChangeLog 2020-05-01 21:59:07 UTC (rev 261024)
@@ -1,3 +1,16 @@
+2020-05-01 David Kilzer <[email protected]>
+
+ [IPC hardening] createMessageDecoder() needs a validity check
+ <https://webkit.org/b/211260>
+ <rdar://problem/61914087>
+
+ Reviewed by Darin Adler.
+
+ * Platform/IPC/cocoa/ConnectionCocoa.mm:
+ (IPC::createMessageDecoder):
+ - Add validity check and early return for
+ `numDescriptors`.
+
2020-05-01 Devin Rousso <[email protected]>
Web Inspector: Browser: crash when handling `disable`
Modified: trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm (261023 => 261024)
--- trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-05-01 21:52:48 UTC (rev 261023)
+++ trunk/Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm 2020-05-01 21:59:07 UTC (rev 261024)
@@ -423,6 +423,8 @@
mach_msg_body_t* body = reinterpret_cast<mach_msg_body_t*>(header + 1);
mach_msg_size_t numDescriptors = body->msgh_descriptor_count;
ASSERT(numDescriptors);
+ if (!numDescriptors)
+ return nullptr;
uint8_t* descriptorData = reinterpret_cast<uint8_t*>(body + 1);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
