Title: [271908] trunk/Source/WebKit
- Revision
- 271908
- Author
- [email protected]
- Date
- 2021-01-26 14:36:15 -0800 (Tue, 26 Jan 2021)
Log Message
Harden NetworkProcess against integer overflow in CacheStorageEngine size calculation
https://bugs.webkit.org/show_bug.cgi?id=220997
<rdar://problem/66116827>
Reviewed by Youenn Fablet.
Since the CacheStorage allocation is based on data provided by the WebContent process, we should
check for integer overflow before making an allocation.
* NetworkProcess/cache/CacheStorageEngineCache.cpp:
(WebKit::CacheStorage::Cache::put): Use checked arithmetic and return a failure if we overflow.
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (271907 => 271908)
--- trunk/Source/WebKit/ChangeLog 2021-01-26 22:23:07 UTC (rev 271907)
+++ trunk/Source/WebKit/ChangeLog 2021-01-26 22:36:15 UTC (rev 271908)
@@ -1,3 +1,17 @@
+2021-01-26 Brent Fulgham <[email protected]>
+
+ Harden NetworkProcess against integer overflow in CacheStorageEngine size calculation
+ https://bugs.webkit.org/show_bug.cgi?id=220997
+ <rdar://problem/66116827>
+
+ Reviewed by Youenn Fablet.
+
+ Since the CacheStorage allocation is based on data provided by the WebContent process, we should
+ check for integer overflow before making an allocation.
+
+ * NetworkProcess/cache/CacheStorageEngineCache.cpp:
+ (WebKit::CacheStorage::Cache::put): Use checked arithmetic and return a failure if we overflow.
+
2021-01-26 Per Arne <[email protected]>
[macOS] Deny mach-lookup to the service 'com.apple.tccd.system' in the WebContent process
Modified: trunk/Source/WebKit/NetworkProcess/cache/CacheStorageEngineCache.cpp (271907 => 271908)
--- trunk/Source/WebKit/NetworkProcess/cache/CacheStorageEngineCache.cpp 2021-01-26 22:23:07 UTC (rev 271907)
+++ trunk/Source/WebKit/NetworkProcess/cache/CacheStorageEngineCache.cpp 2021-01-26 22:36:15 UTC (rev 271908)
@@ -420,7 +420,7 @@
ASSERT(m_state == State::Open);
WebCore::CacheQueryOptions options;
- uint64_t spaceRequired = 0;
+ CheckedUint64 spaceRequired = 0;
for (auto& record : records) {
auto* sameURLRecords = recordsFromURL(record.request.url());
@@ -436,7 +436,12 @@
}
}
- m_caches.requestSpace(spaceRequired, [caches = makeRef(m_caches), identifier = m_identifier, records = WTFMove(records), callback = WTFMove(callback)](Optional<DOMCacheEngine::Error>&& error) mutable {
+ if (spaceRequired.hasOverflowed()) {
+ callback(makeUnexpected(DOMCacheEngine::Error::QuotaExceeded));
+ return;
+ }
+
+ m_caches.requestSpace(spaceRequired.unsafeGet(), [caches = makeRef(m_caches), identifier = m_identifier, records = WTFMove(records), callback = WTFMove(callback)](Optional<DOMCacheEngine::Error>&& error) mutable {
if (error) {
callback(makeUnexpected(error.value()));
return;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
