[webkit-changes] [274160] trunk/Source/WebKit

[cdumez]

Title: [274160] trunk/Source/WebKit

Revision

274160

Author

cdu...@apple.com

Date

2021-03-09 10:58:53 -0800 (Tue, 09 Mar 2021)

Log Message

[IPC Hardening] IPC::decode(Decoder& decoder, RetainPtr<CFDictionaryRef>&) should make sure keys & values aren't null
https://bugs.webkit.org/show_bug.cgi?id=222980

Reviewed by Geoffrey Garen.

[NSMutableDictionary setObject:forKey:] throws an exception when the given object or key is nil. The dictionary decoder
should therefore fail nicely when either of these is nil, instead of crashing.

* Shared/cf/ArgumentCodersCF.cpp:
(IPC::decode):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/Shared/cf/ArgumentCodersCF.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (274159 => 274160)

--- trunk/Source/WebKit/ChangeLog	2021-03-09 18:58:17 UTC (rev 274159)
+++ trunk/Source/WebKit/ChangeLog	2021-03-09 18:58:53 UTC (rev 274160)
@@ -1,5 +1,18 @@
 2021-03-09  Chris Dumez  <cdu...@apple.com>
 
+        [IPC Hardening] IPC::decode(Decoder& decoder, RetainPtr<CFDictionaryRef>&) should make sure keys & values aren't null
+        https://bugs.webkit.org/show_bug.cgi?id=222980
+
+        Reviewed by Geoffrey Garen.
+
+        [NSMutableDictionary setObject:forKey:] throws an exception when the given object or key is nil. The dictionary decoder
+        should therefore fail nicely when either of these is nil, instead of crashing.
+
+        * Shared/cf/ArgumentCodersCF.cpp:
+        (IPC::decode):
+
+2021-03-09  Chris Dumez  <cdu...@apple.com>
+
         [IPC Hardening] SandboxExtension::HandleArray IPC decoder should not call Vector::resize()
         https://bugs.webkit.org/show_bug.cgi?id=222977
         <rdar://problem/75218451>

Modified: trunk/Source/WebKit/Shared/cf/ArgumentCodersCF.cpp (274159 => 274160)

--- trunk/Source/WebKit/Shared/cf/ArgumentCodersCF.cpp	2021-03-09 18:58:17 UTC (rev 274159)
+++ trunk/Source/WebKit/Shared/cf/ArgumentCodersCF.cpp	2021-03-09 18:58:53 UTC (rev 274160)
@@ -458,11 +458,11 @@
     RetainPtr<CFMutableDictionaryRef> dictionary = adoptCF(CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
     for (uint64_t i = 0; i < size; ++i) {
         RetainPtr<CFTypeRef> key;
-        if (!decode(decoder, key))
+        if (!decode(decoder, key) || !key)
             return false;
 
         RetainPtr<CFTypeRef> value;
-        if (!decode(decoder, value))
+        if (!decode(decoder, value) || !value)
             return false;
 
         CFDictionarySetValue(dictionary.get(), key.get(), value.get());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes