Skip to site navigation (Press enter)

[webkit-changes] [276341] trunk

commit-queue Tue, 20 Apr 2021 18:20:58 -0700

Title: [276341] trunk

Revision: 276341
Author: [email protected]
Date: 2021-04-20 18:20:17 -0700 (Tue, 20 Apr 2021)

Log Message

Crash due to VectorBuffer pre-allocation failure
https://bugs.webkit.org/show_bug.cgi?id=224840


Patch by Ian Gilbert <[email protected]> on 2021-04-20
Reviewed by Sam Weinig.

Source/WebKit:

Vector decoder could attempt to allocate a large buffer and on failure would crash.
Changed decode to avoid allocating a Vector based on the decoded size.

Test: ipc/large-vector-allocate-failure-crash.html

* Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:
(IPC::ArgumentCoder<Vector<RefPtr<ApplePayError>>>::decode):

LayoutTests:

Added a regression test.

* ipc/large-vector-allocate-failure-crash-expected.txt: Added.
* ipc/large-vector-allocate-failure-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm

Added Paths

trunk/LayoutTests/ipc/large-vector-allocate-failure-crash-expected.txt
trunk/LayoutTests/ipc/large-vector-allocate-failure-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (276340 => 276341)


--- trunk/LayoutTests/ChangeLog	2021-04-21 01:05:30 UTC (rev 276340)
+++ trunk/LayoutTests/ChangeLog	2021-04-21 01:20:17 UTC (rev 276341)
@@ -1,3 +1,15 @@
+2021-04-20  Ian Gilbert  <[email protected]>
+
+        Crash due to VectorBuffer pre-allocation failure
+        https://bugs.webkit.org/show_bug.cgi?id=224840
+
+        Reviewed by Sam Weinig.
+
+        Added a regression test.
+
+        * ipc/large-vector-allocate-failure-crash-expected.txt: Added.
+        * ipc/large-vector-allocate-failure-crash.html: Added.
+
 2021-04-20  Robert Jenner  <[email protected]>
 
         [ BigSur wk2 Debug arm64 ] http/wpt/preload/change-link-rel-attribute.html is a flakey crash

Added: trunk/LayoutTests/ipc/large-vector-allocate-failure-crash-expected.txt (0 => 276341)


--- trunk/LayoutTests/ipc/large-vector-allocate-failure-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/ipc/large-vector-allocate-failure-crash-expected.txt	2021-04-21 01:20:17 UTC (rev 276341)
@@ -0,0 +1,3 @@
+Test pass if it does not crash.
+
+PASS

Added: trunk/LayoutTests/ipc/large-vector-allocate-failure-crash.html (0 => 276341)


--- trunk/LayoutTests/ipc/large-vector-allocate-failure-crash.html	                        (rev 0)
+++ trunk/LayoutTests/ipc/large-vector-allocate-failure-crash.html	2021-04-21 01:20:17 UTC (rev 276341)
@@ -0,0 +1,13 @@
+<!DOCTYPE html><!-- webkit-test-runner [ IPCTestingAPIEnabled=true ] -->
+<p>Test pass if it does not crash.</p>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    buf = new Uint8Array([0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,]);
+
+    if (window.IPC)
+        IPC.sendMessage('UI',IPC.pageID,IPC.messages.WebPaymentCoordinatorProxy_CompleteShippingContactSelection.name,[buf]);
+    document.write("PASS");
+
+</script>

Modified: trunk/Source/WebKit/ChangeLog (276340 => 276341)


--- trunk/Source/WebKit/ChangeLog	2021-04-21 01:05:30 UTC (rev 276340)
+++ trunk/Source/WebKit/ChangeLog	2021-04-21 01:20:17 UTC (rev 276341)
@@ -1,3 +1,18 @@
+2021-04-20  Ian Gilbert  <[email protected]>
+
+        Crash due to VectorBuffer pre-allocation failure
+        https://bugs.webkit.org/show_bug.cgi?id=224840
+
+        Reviewed by Sam Weinig.
+
+        Vector decoder could attempt to allocate a large buffer and on failure would crash.
+        Changed decode to avoid allocating a Vector based on the decoded size.
+
+        Test: ipc/large-vector-allocate-failure-crash.html
+
+        * Shared/Cocoa/WebCoreArgumentCodersCocoa.mm:
+        (IPC::ArgumentCoder<Vector<RefPtr<ApplePayError>>>::decode):
+
 2021-04-20  Chris Dumez  <[email protected]>
 
         If an idle GPUProcess doesn't exit under memory pressure because it just launched, check again later

Modified: trunk/Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm (276340 => 276341)


--- trunk/Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm	2021-04-21 01:05:30 UTC (rev 276340)
+++ trunk/Source/WebKit/Shared/Cocoa/WebCoreArgumentCodersCocoa.mm	2021-04-21 01:20:17 UTC (rev 276341)
@@ -360,7 +360,7 @@
     if (!decoder.decode(size))
         return WTF::nullopt;
 
-    Vector<RefPtr<ApplePayError>> errors(size);
+    Vector<RefPtr<ApplePayError>> errors;
     for (uint64_t i = 0; i < size; ++i) {
         Optional<bool> isValid;
         decoder >> isValid;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes