Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 23f2542385a7ff667cd8d8b17b77a733203ac51f
https://github.com/WebKit/WebKit/commit/23f2542385a7ff667cd8d8b17b77a733203ac51f
Author: Alex Christensen <[email protected]>
Date: 2023-02-06 (Mon, 06 Feb 2023)
Changed paths:
M Source/WebKit/Platform/IPC/ArgumentCoders.h
M Tools/TestWebKitAPI/Tests/IPC/ArgumentCoderTests.cpp
Log Message:
-----------
Limit untrusted allocations when decoding Vectors to 1MB
https://bugs.webkit.org/show_bug.cgi?id=251804
Reviewed by Kimmo Kinnunen.
257725@main introduced a performance improvement where we only allocate exactly
as much
memory as we need once when decoding a Vector. This is wonderful, but it
introduced
allocation based on size from an untrusted source, making it so any message
that sends
a Vector can be used to send a very large size_t and crash the other process.
In this
PR I get the best of both worlds: if the total allocation size is less that 1MB
then we
do the fast and efficient thing, but if it is more than 1MB we do the safe
thing.
* Source/WebKit/Platform/IPC/ArgumentCoders.h:
Canonical link: https://commits.webkit.org/259917@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
