Diff
Modified: trunk/Source/WebCore/ChangeLog (266744 => 266745)
--- trunk/Source/WebCore/ChangeLog 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebCore/ChangeLog 2020-09-08 20:24:03 UTC (rev 266745)
@@ -1,3 +1,19 @@
+2020-09-08 Youenn Fablet <[email protected]>
+
+ Tighten checks when creating an audio buffer list
+ https://bugs.webkit.org/show_bug.cgi?id=216237
+ <rdar://problem/68271376>
+
+ Reviewed by Geoffrey Garen.
+
+ Add a routine to check there is no multiplication integer overflow.
+
+ * platform/audio/cocoa/WebAudioBufferList.cpp:
+ (WebCore::computeBufferSize):
+ (WebCore::WebAudioBufferList::isSupportedDescription):
+ (WebCore::WebAudioBufferList::setSampleCount):
+ * platform/audio/cocoa/WebAudioBufferList.h:
+
2020-09-08 Tim Horton <[email protected]>
iOS: <attachment>'s QuickLook thumbnails can appear squished
Modified: trunk/Source/WebCore/platform/audio/cocoa/WebAudioBufferList.cpp (266744 => 266745)
--- trunk/Source/WebCore/platform/audio/cocoa/WebAudioBufferList.cpp 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebCore/platform/audio/cocoa/WebAudioBufferList.cpp 2020-09-08 20:24:03 UTC (rev 266745)
@@ -27,6 +27,8 @@
#include "WebAudioBufferList.h"
#include "CAAudioStreamDescription.h"
+#include <wtf/CheckedArithmetic.h>
+
#include <pal/cf/CoreMediaSoftLink.h>
namespace WebCore {
@@ -59,6 +61,31 @@
setSampleCount(sampleCount);
}
+static inline Optional<std::pair<size_t, size_t>> computeBufferSizes(uint32_t numberOfInterleavedChannels, uint32_t bytesPerFrame, uint32_t numberOfChannelStreams, uint32_t sampleCount)
+{
+ size_t totalSampleCount;
+ bool result = WTF::safeMultiply(sampleCount, numberOfInterleavedChannels, totalSampleCount);
+ if (!result)
+ return { };
+
+ size_t bytesPerBuffer;
+ result = WTF::safeMultiply(bytesPerFrame, totalSampleCount, bytesPerBuffer);
+ if (!result)
+ return { };
+
+ size_t flatBufferSize;
+ result = WTF::safeMultiply(numberOfChannelStreams, bytesPerBuffer, flatBufferSize);
+ if (!result)
+ return { };
+
+ return std::make_pair(bytesPerBuffer, flatBufferSize);
+}
+
+bool WebAudioBufferList::isSupportedDescription(const CAAudioStreamDescription& format, uint32_t sampleCount)
+{
+ return !!computeBufferSizes(format.numberOfInterleavedChannels(), format.bytesPerFrame(), format.numberOfChannelStreams(), sampleCount);
+}
+
void WebAudioBufferList::setSampleCount(uint32_t sampleCount)
{
if (!sampleCount || m_sampleCount == sampleCount)
@@ -65,14 +92,17 @@
return;
m_sampleCount = sampleCount;
- size_t bytesPerBuffer = m_sampleCount * m_channelCount * m_bytesPerFrame;
- m_flatBuffer.resize(m_canonicalList->mNumberBuffers * bytesPerBuffer);
+
+ auto bufferSizes = computeBufferSizes(m_channelCount, m_bytesPerFrame, m_canonicalList->mNumberBuffers, m_sampleCount);
+ ASSERT(bufferSizes);
+
+ m_flatBuffer.resize(bufferSizes->second);
auto* data = ""
for (uint32_t buffer = 0; buffer < m_canonicalList->mNumberBuffers; ++buffer) {
m_canonicalList->mBuffers[buffer].mData = data;
- m_canonicalList->mBuffers[buffer].mDataByteSize = bytesPerBuffer;
- data += bytesPerBuffer;
+ m_canonicalList->mBuffers[buffer].mDataByteSize = bufferSizes->first;
+ data += bufferSizes->first;
}
reset();
Modified: trunk/Source/WebCore/platform/audio/cocoa/WebAudioBufferList.h (266744 => 266745)
--- trunk/Source/WebCore/platform/audio/cocoa/WebAudioBufferList.h 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebCore/platform/audio/cocoa/WebAudioBufferList.h 2020-09-08 20:24:03 UTC (rev 266745)
@@ -41,7 +41,7 @@
class WebAudioBufferList final : public PlatformAudioData {
public:
- WebAudioBufferList(const CAAudioStreamDescription&);
+ WEBCORE_EXPORT WebAudioBufferList(const CAAudioStreamDescription&);
WEBCORE_EXPORT WebAudioBufferList(const CAAudioStreamDescription&, uint32_t sampleCount);
WebAudioBufferList(const CAAudioStreamDescription&, CMSampleBufferRef);
@@ -56,6 +56,8 @@
AudioBuffer* buffer(uint32_t index) const;
WTF::IteratorRange<AudioBuffer*> buffers() const;
+ WEBCORE_EXPORT static bool isSupportedDescription(const CAAudioStreamDescription&, uint32_t sampleCount);
+
private:
Kind kind() const { return Kind::WebAudioBufferList; }
Modified: trunk/Source/WebKit/ChangeLog (266744 => 266745)
--- trunk/Source/WebKit/ChangeLog 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebKit/ChangeLog 2020-09-08 20:24:03 UTC (rev 266745)
@@ -1,3 +1,31 @@
+2020-09-08 Youenn Fablet <[email protected]>
+
+ Tighten checks when creating an audio buffer list
+ https://bugs.webkit.org/show_bug.cgi?id=216237
+ <rdar://problem/68271376>
+
+ Reviewed by Geoffrey Garen.
+
+ Add message checks to verify that no message integer overflows happen when processing audio buffer list messages.
+
+ * GPUProcess/GPUConnectionToWebProcess.cpp:
+ (WebKit::GPUConnectionToWebProcess::audioTrackRendererManager):
+ * GPUProcess/webrtc/RemoteAudioMediaStreamTrackRenderer.cpp:
+ (WebKit::RemoteAudioMediaStreamTrackRenderer::RemoteAudioMediaStreamTrackRenderer):
+ (WebKit::RemoteAudioMediaStreamTrackRenderer::audioSamplesStorageChanged):
+ (WebKit::RemoteAudioMediaStreamTrackRenderer::audioSamplesAvailable):
+ * GPUProcess/webrtc/RemoteAudioMediaStreamTrackRenderer.h:
+ * GPUProcess/webrtc/RemoteAudioMediaStreamTrackRendererManager.cpp:
+ (WebKit::RemoteAudioMediaStreamTrackRendererManager::RemoteAudioMediaStreamTrackRendererManager):
+ (WebKit::RemoteAudioMediaStreamTrackRendererManager::createRenderer):
+ * GPUProcess/webrtc/RemoteAudioMediaStreamTrackRendererManager.h:
+ * GPUProcess/webrtc/RemoteMediaRecorder.cpp:
+ (WebKit::RemoteMediaRecorder::audioSamplesStorageChanged):
+ (WebKit::RemoteMediaRecorder::audioSamplesAvailable):
+ * GPUProcess/webrtc/RemoteMediaRecorder.h:
+ * WebProcess/cocoa/RemoteCaptureSampleManager.cpp:
+ (WebKit::RemoteCaptureSampleManager::RemoteAudio::audioSamplesAvailable):
+
2020-09-08 Tim Horton <[email protected]>
iOS: <attachment>'s QuickLook thumbnails can appear squished
Modified: trunk/Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp (266744 => 266745)
--- trunk/Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebKit/GPUProcess/GPUConnectionToWebProcess.cpp 2020-09-08 20:24:03 UTC (rev 266745)
@@ -242,7 +242,7 @@
RemoteAudioMediaStreamTrackRendererManager& GPUConnectionToWebProcess::audioTrackRendererManager()
{
if (!m_audioTrackRendererManager)
- m_audioTrackRendererManager = makeUnique<RemoteAudioMediaStreamTrackRendererManager>();
+ m_audioTrackRendererManager = makeUnique<RemoteAudioMediaStreamTrackRendererManager>(*this);
return *m_audioTrackRendererManager;
}
Modified: trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRenderer.cpp (266744 => 266745)
--- trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRenderer.cpp 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRenderer.cpp 2020-09-08 20:24:03 UTC (rev 266745)
@@ -28,11 +28,15 @@
#if PLATFORM(COCOA) && ENABLE(GPU_PROCESS) && ENABLE(MEDIA_STREAM)
+#include "Connection.h"
+#include "RemoteAudioMediaStreamTrackRendererManager.h"
#include "SharedRingBufferStorage.h"
#include <WebCore/AudioMediaStreamTrackRenderer.h>
#include <WebCore/CARingBuffer.h>
#include <WebCore/WebAudioBufferList.h>
+#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, (&m_manager.connection()))
+
namespace WebKit {
using namespace WebCore;
@@ -50,9 +54,10 @@
}
#endif
-RemoteAudioMediaStreamTrackRenderer::RemoteAudioMediaStreamTrackRenderer()
- : m_renderer(WebCore::AudioMediaStreamTrackRenderer::create())
- , m_ringBuffer(makeUnique<CARingBuffer>(makeUniqueRef<SharedRingBufferStorage>(nullptr)))
+RemoteAudioMediaStreamTrackRenderer::RemoteAudioMediaStreamTrackRenderer(RemoteAudioMediaStreamTrackRendererManager& manager)
+ : m_manager(manager)
+ , m_renderer(WebCore::AudioMediaStreamTrackRenderer::create())
+ , m_ringBuffer(makeUniqueRef<CARingBuffer>(makeUniqueRef<SharedRingBufferStorage>(nullptr)))
{
ASSERT(m_renderer);
@@ -97,10 +102,7 @@
void RemoteAudioMediaStreamTrackRenderer::audioSamplesStorageChanged(const SharedMemory::IPCHandle& ipcHandle, const WebCore::CAAudioStreamDescription& description, uint64_t numberOfFrames)
{
- ASSERT(m_ringBuffer);
- if (!m_ringBuffer)
- return;
-
+ MESSAGE_CHECK(WebAudioBufferList::isSupportedDescription(description, numberOfFrames));
m_description = description;
if (ipcHandle.handle.isNull()) {
@@ -115,20 +117,21 @@
storage().setReadOnly(true);
m_ringBuffer->allocate(description, numberOfFrames);
+
+ m_audioBufferList = makeUnique<WebAudioBufferList>(m_description);
}
void RemoteAudioMediaStreamTrackRenderer::audioSamplesAvailable(MediaTime time, uint64_t numberOfFrames, uint64_t startFrame, uint64_t endFrame)
{
- ASSERT(m_ringBuffer);
- if (!m_ringBuffer)
- return;
+ MESSAGE_CHECK(m_audioBufferList);
+ MESSAGE_CHECK(WebAudioBufferList::isSupportedDescription(m_description, numberOfFrames));
m_ringBuffer->setCurrentFrameBounds(startFrame, endFrame);
- WebAudioBufferList audioData(m_description, numberOfFrames);
- m_ringBuffer->fetch(audioData.list(), numberOfFrames, time.timeValue());
+ m_audioBufferList->setSampleCount(numberOfFrames);
+ m_ringBuffer->fetch(m_audioBufferList->list(), numberOfFrames, time.timeValue());
- m_renderer->pushSamples(time, audioData, m_description, numberOfFrames);
+ m_renderer->pushSamples(time, *m_audioBufferList, m_description, numberOfFrames);
}
}
Modified: trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRenderer.h (266744 => 266745)
--- trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRenderer.h 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRenderer.h 2020-09-08 20:24:03 UTC (rev 266745)
@@ -31,21 +31,23 @@
#include "SharedMemory.h"
#include <WebCore/CAAudioStreamDescription.h>
#include <wtf/MediaTime.h>
+#include <wtf/UniqueRef.h>
namespace WebCore {
class AudioMediaStreamTrackRenderer;
class CARingBuffer;
+class WebAudioBufferList;
}
namespace WebKit {
-class GPUConnectionToWebProcess;
+class RemoteAudioMediaStreamTrackRendererManager;
class SharedRingBufferStorage;
class RemoteAudioMediaStreamTrackRenderer final : private IPC::MessageReceiver {
WTF_MAKE_FAST_ALLOCATED;
public:
- RemoteAudioMediaStreamTrackRenderer();
+ explicit RemoteAudioMediaStreamTrackRenderer(RemoteAudioMediaStreamTrackRendererManager&);
~RemoteAudioMediaStreamTrackRenderer();
void didReceiveMessage(IPC::Connection&, IPC::Decoder&) final;
@@ -61,10 +63,11 @@
SharedRingBufferStorage& storage();
+ RemoteAudioMediaStreamTrackRendererManager& m_manager;
std::unique_ptr<WebCore::AudioMediaStreamTrackRenderer> m_renderer;
-
WebCore::CAAudioStreamDescription m_description;
- std::unique_ptr<WebCore::CARingBuffer> m_ringBuffer;
+ UniqueRef<WebCore::CARingBuffer> m_ringBuffer;
+ std::unique_ptr<WebCore::WebAudioBufferList> m_audioBufferList;
};
}
Modified: trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRendererManager.cpp (266744 => 266745)
--- trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRendererManager.cpp 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRendererManager.cpp 2020-09-08 20:24:03 UTC (rev 266745)
@@ -33,8 +33,12 @@
namespace WebKit {
-RemoteAudioMediaStreamTrackRendererManager::RemoteAudioMediaStreamTrackRendererManager() = default;
+RemoteAudioMediaStreamTrackRendererManager::RemoteAudioMediaStreamTrackRendererManager(GPUConnectionToWebProcess& connectionToWebProcess)
+ : m_connectionToWebProcess(connectionToWebProcess)
+{
+}
+
RemoteAudioMediaStreamTrackRendererManager::~RemoteAudioMediaStreamTrackRendererManager() = default;
void RemoteAudioMediaStreamTrackRendererManager::didReceiveRendererMessage(IPC::Connection& connection, IPC::Decoder& decoder)
@@ -46,7 +50,7 @@
void RemoteAudioMediaStreamTrackRendererManager::createRenderer(AudioMediaStreamTrackRendererIdentifier identifier)
{
ASSERT(!m_renderers.contains(identifier));
- m_renderers.add(identifier, makeUnique<RemoteAudioMediaStreamTrackRenderer>());
+ m_renderers.add(identifier, makeUnique<RemoteAudioMediaStreamTrackRenderer>(*this));
}
void RemoteAudioMediaStreamTrackRendererManager::releaseRenderer(AudioMediaStreamTrackRendererIdentifier identifier)
Modified: trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRendererManager.h (266744 => 266745)
--- trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRendererManager.h 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebKit/GPUProcess/webrtc/RemoteAudioMediaStreamTrackRendererManager.h 2020-09-08 20:24:03 UTC (rev 266745)
@@ -28,6 +28,7 @@
#if PLATFORM(COCOA) && ENABLE(GPU_PROCESS) && ENABLE(MEDIA_STREAM)
#include "AudioMediaStreamTrackRendererIdentifier.h"
+#include "GPUConnectionToWebProcess.h"
#include "MessageReceiver.h"
#include <wtf/Forward.h>
#include <wtf/HashMap.h>
@@ -44,12 +45,14 @@
class RemoteAudioMediaStreamTrackRendererManager final : private IPC::MessageReceiver {
WTF_MAKE_FAST_ALLOCATED;
public:
- RemoteAudioMediaStreamTrackRendererManager();
+ explicit RemoteAudioMediaStreamTrackRendererManager(GPUConnectionToWebProcess&);
~RemoteAudioMediaStreamTrackRendererManager();
void didReceiveRendererMessage(IPC::Connection&, IPC::Decoder&);
void didReceiveMessageFromWebProcess(IPC::Connection& connection, IPC::Decoder& decoder) { didReceiveMessage(connection, decoder); }
+ IPC::Connection& connection() const { return m_connectionToWebProcess.connection(); }
+
private:
// IPC::MessageReceiver
void didReceiveMessage(IPC::Connection&, IPC::Decoder&) final;
@@ -56,6 +59,7 @@
void createRenderer(AudioMediaStreamTrackRendererIdentifier);
void releaseRenderer(AudioMediaStreamTrackRendererIdentifier);
+ GPUConnectionToWebProcess& m_connectionToWebProcess;
HashMap<AudioMediaStreamTrackRendererIdentifier, std::unique_ptr<RemoteAudioMediaStreamTrackRenderer>> m_renderers;
};
Modified: trunk/Source/WebKit/GPUProcess/webrtc/RemoteMediaRecorder.cpp (266744 => 266745)
--- trunk/Source/WebKit/GPUProcess/webrtc/RemoteMediaRecorder.cpp 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebKit/GPUProcess/webrtc/RemoteMediaRecorder.cpp 2020-09-08 20:24:03 UTC (rev 266745)
@@ -28,6 +28,7 @@
#if PLATFORM(COCOA) && ENABLE(GPU_PROCESS) && ENABLE(MEDIA_STREAM) && HAVE(AVASSETWRITERDELEGATE)
+#include "Connection.h"
#include "SharedRingBufferStorage.h"
#include <WebCore/CARingBuffer.h>
#include <WebCore/ImageTransferSessionVT.h>
@@ -35,6 +36,8 @@
#include <WebCore/WebAudioBufferList.h>
#include <wtf/CompletionHandler.h>
+#define MESSAGE_CHECK(assertion) MESSAGE_CHECK_BASE(assertion, (&m_gpuConnectionToWebProcess.connection()))
+
namespace WebKit {
using namespace WebCore;
@@ -66,9 +69,7 @@
void RemoteMediaRecorder::audioSamplesStorageChanged(const SharedMemory::IPCHandle& ipcHandle, const WebCore::CAAudioStreamDescription& description, uint64_t numberOfFrames)
{
- ASSERT(m_ringBuffer);
- if (!m_ringBuffer)
- return;
+ MESSAGE_CHECK(m_ringBuffer);
m_description = description;
@@ -83,21 +84,22 @@
storage().setStorage(WTFMove(memory));
storage().setReadOnly(true);
- m_ringBuffer->allocate(description, numberOfFrames);
+ m_ringBuffer->allocate(m_description, numberOfFrames);
+ m_audioBufferList = makeUnique<WebAudioBufferList>(m_description);
}
void RemoteMediaRecorder::audioSamplesAvailable(MediaTime time, uint64_t numberOfFrames, uint64_t startFrame, uint64_t endFrame)
{
- ASSERT(m_ringBuffer);
- if (!m_ringBuffer)
- return;
+ MESSAGE_CHECK(m_ringBuffer);
+ MESSAGE_CHECK(m_audioBufferList);
+ MESSAGE_CHECK(WebAudioBufferList::isSupportedDescription(m_description, numberOfFrames));
m_ringBuffer->setCurrentFrameBounds(startFrame, endFrame);
- WebAudioBufferList audioData(m_description, numberOfFrames);
- m_ringBuffer->fetch(audioData.list(), numberOfFrames, time.timeValue());
+ m_audioBufferList->setSampleCount(numberOfFrames);
+ m_ringBuffer->fetch(m_audioBufferList->list(), numberOfFrames, time.timeValue());
- m_writer->appendAudioSampleBuffer(audioData, m_description, time, numberOfFrames);
+ m_writer->appendAudioSampleBuffer(*m_audioBufferList, m_description, time, numberOfFrames);
}
void RemoteMediaRecorder::videoSampleAvailable(WebCore::RemoteVideoSample&& remoteSample)
Modified: trunk/Source/WebKit/GPUProcess/webrtc/RemoteMediaRecorder.h (266744 => 266745)
--- trunk/Source/WebKit/GPUProcess/webrtc/RemoteMediaRecorder.h 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebKit/GPUProcess/webrtc/RemoteMediaRecorder.h 2020-09-08 20:24:03 UTC (rev 266745)
@@ -44,6 +44,7 @@
class CARingBuffer;
class ImageTransferSessionVT;
class RemoteVideoSample;
+class WebAudioBufferList;
struct MediaRecorderPrivateOptions;
}
@@ -78,6 +79,7 @@
WebCore::CAAudioStreamDescription m_description;
std::unique_ptr<WebCore::CARingBuffer> m_ringBuffer;
+ std::unique_ptr<WebCore::WebAudioBufferList> m_audioBufferList;
std::unique_ptr<WebCore::ImageTransferSessionVT> m_imageTransferSession;
};
Modified: trunk/Source/WebKit/WebProcess/cocoa/RemoteCaptureSampleManager.cpp (266744 => 266745)
--- trunk/Source/WebKit/WebProcess/cocoa/RemoteCaptureSampleManager.cpp 2020-09-08 19:49:27 UTC (rev 266744)
+++ trunk/Source/WebKit/WebProcess/cocoa/RemoteCaptureSampleManager.cpp 2020-09-08 20:24:03 UTC (rev 266745)
@@ -143,9 +143,16 @@
void RemoteCaptureSampleManager::RemoteAudio::audioSamplesAvailable(MediaTime time, uint64_t numberOfFrames, uint64_t startFrame, uint64_t endFrame)
{
- if (!m_buffer)
+ if (!m_buffer) {
+ RELEASE_LOG_ERROR(WebRTC, "buffer for audio source %llu is null", m_source->identifier().toUInt64());
return;
+ }
+ if (!WebAudioBufferList::isSupportedDescription(m_description, numberOfFrames)) {
+ RELEASE_LOG_ERROR(WebRTC, "Unable to support description with given number of frames for audio source %llu", m_source->identifier().toUInt64());
+ return;
+ }
+
m_buffer->setSampleCount(numberOfFrames);
m_ringBuffer->setCurrentFrameBounds(startFrame, endFrame);
