Title: [261527] branches/safari-609-branch/Source/WebKit
- Revision
- 261527
- Author
- [email protected]
- Date
- 2020-05-11 17:22:18 -0700 (Mon, 11 May 2020)
Log Message
Cherry-pick r258675. rdar://problem/62978870
WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers
https://bugs.webkit.org/show_bug.cgi?id=209219
Reviewed by Darin Adler.
* Shared/WebCoreArgumentCoders.cpp:
(IPC::decodeSharedBuffer): Added checking of bufferIsLargeEnoughToContain.
(IPC::decodeTypesAndData): Don't allocate a buffer with the
decoded size. bufferIsLargeEnoughToContain can't be used in this
case because SharedBuffer is encoded as variable length data.
Instead, append items one-by-one.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258675 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609-branch/Source/WebKit/ChangeLog (261526 => 261527)
--- branches/safari-609-branch/Source/WebKit/ChangeLog 2020-05-12 00:22:15 UTC (rev 261526)
+++ branches/safari-609-branch/Source/WebKit/ChangeLog 2020-05-12 00:22:18 UTC (rev 261527)
@@ -1,3 +1,35 @@
+2020-05-11 Alan Coon <[email protected]>
+
+ Cherry-pick r258675. rdar://problem/62978870
+
+ WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers
+ https://bugs.webkit.org/show_bug.cgi?id=209219
+
+ Reviewed by Darin Adler.
+
+ * Shared/WebCoreArgumentCoders.cpp:
+ (IPC::decodeSharedBuffer): Added checking of bufferIsLargeEnoughToContain.
+ (IPC::decodeTypesAndData): Don't allocate a buffer with the
+ decoded size. bufferIsLargeEnoughToContain can't be used in this
+ case because SharedBuffer is encoded as variable length data.
+ Instead, append items one-by-one.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258675 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-18 Fujii Hironori <[email protected]>
+
+ WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers
+ https://bugs.webkit.org/show_bug.cgi?id=209219
+
+ Reviewed by Darin Adler.
+
+ * Shared/WebCoreArgumentCoders.cpp:
+ (IPC::decodeSharedBuffer): Added checking of bufferIsLargeEnoughToContain.
+ (IPC::decodeTypesAndData): Don't allocate a buffer with the
+ decoded size. bufferIsLargeEnoughToContain can't be used in this
+ case because SharedBuffer is encoded as variable length data.
+ Instead, append items one-by-one.
+
2020-05-07 Russell Epstein <[email protected]>
Cherry-pick r261024. rdar://problem/62978260
Modified: branches/safari-609-branch/Source/WebKit/Shared/WebCoreArgumentCoders.cpp (261526 => 261527)
--- branches/safari-609-branch/Source/WebKit/Shared/WebCoreArgumentCoders.cpp 2020-05-12 00:22:15 UTC (rev 261526)
+++ branches/safari-609-branch/Source/WebKit/Shared/WebCoreArgumentCoders.cpp 2020-05-12 00:22:18 UTC (rev 261527)
@@ -175,9 +175,12 @@
ASSERT(dataSize == types.size());
- data.resize(dataSize);
- for (auto& buffer : data)
- decodeSharedBuffer(decoder, buffer);
+ for (uint64_t i = 0; i < dataSize; i++) {
+ RefPtr<SharedBuffer> buffer;
+ if (!decodeSharedBuffer(decoder, buffer))
+ return false;
+ data.append(WTFMove(buffer));
+ }
return true;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
