Title: [290343] trunk/Source/WebKit
- Revision
- 290343
- Author
- [email protected]
- Date
- 2022-02-22 17:54:07 -0800 (Tue, 22 Feb 2022)
Log Message
Further restrict received IPC boolean values to 0 or 1
https://bugs.webkit.org/show_bug.cgi?id=236801
rdar://85811396
Patch by Simon Lewis <[email protected]> on 2022-02-22
Reviewed by Chris Dumez.
Return std::nullopt if a value larger than 1 is received.
* Platform/IPC/ArgumentCoder.h:
(IPC::ArgumentCoder<bool>::decode):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (290342 => 290343)
--- trunk/Source/WebKit/ChangeLog 2022-02-23 01:34:04 UTC (rev 290342)
+++ trunk/Source/WebKit/ChangeLog 2022-02-23 01:54:07 UTC (rev 290343)
@@ -1,3 +1,16 @@
+2022-02-22 Simon Lewis <[email protected]>
+
+ Further restrict received IPC boolean values to 0 or 1
+ https://bugs.webkit.org/show_bug.cgi?id=236801
+ rdar://85811396
+
+ Reviewed by Chris Dumez.
+
+ Return std::nullopt if a value larger than 1 is received.
+
+ * Platform/IPC/ArgumentCoder.h:
+ (IPC::ArgumentCoder<bool>::decode):
+
2022-02-22 Brent Fulgham <[email protected]>
PingLoader is failing to call completion handler in error case
Modified: trunk/Source/WebKit/Platform/IPC/ArgumentCoder.h (290342 => 290343)
--- trunk/Source/WebKit/Platform/IPC/ArgumentCoder.h 2022-02-23 01:34:04 UTC (rev 290342)
+++ trunk/Source/WebKit/Platform/IPC/ArgumentCoder.h 2022-02-23 01:54:07 UTC (rev 290343)
@@ -89,7 +89,7 @@
static std::optional<bool> decode(Decoder& decoder)
{
uint8_t data;
- if (decoder.decodeFixedLengthData(&data, sizeof(uint8_t), alignof(uint8_t)))
+ if (decoder.decodeFixedLengthData(&data, sizeof(uint8_t), alignof(uint8_t)) && data <= 1)
return !!data; // This ensures that only the lower bit is set in a boolean for IPC messages
return std::nullopt;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
