[webkit-changes] [147508] trunk/Source/WebKit2

[andersca]

Title: [147508] trunk/Source/WebKit2

Revision

147508

Author

ander...@apple.com

Date

2013-04-02 16:34:22 -0700 (Tue, 02 Apr 2013)

Log Message

Be more robust against empty message receiver names in incoming messages
https://bugs.webkit.org/show_bug.cgi?id=113833
<rdar://problem/13284433>

Reviewed by Beth Dakin.

Turns out that we either send or receive messages whose receiver names are empty. This leads to bad things when we try to look
up the message receiver name in a hash map since the empty name is used to represent an empty hash map value.

* Platform/CoreIPC/Connection.cpp:
(CoreIPC::Connection::addWorkQueueMessageReceiverOnConnectionWorkQueue):
Sprinkle assertions.

(CoreIPC::Connection::processIncomingMessage):
If the message receiver name is not valid, make sure to call didReceiveInvalidMessage on the client thread.

(CoreIPC::Connection::dispatchDidReceiveInvalidMessage):
Add new helper function.

Modified Paths

• trunk/Source/WebKit2/ChangeLog
• trunk/Source/WebKit2/Platform/CoreIPC/Connection.cpp
• trunk/Source/WebKit2/Platform/CoreIPC/Connection.h

Diff

Modified: trunk/Source/WebKit2/ChangeLog (147507 => 147508)

--- trunk/Source/WebKit2/ChangeLog	2013-04-02 23:31:18 UTC (rev 147507)
+++ trunk/Source/WebKit2/ChangeLog	2013-04-02 23:34:22 UTC (rev 147508)
@@ -1,3 +1,24 @@
+2013-04-02  Anders Carlsson  <ander...@apple.com>
+
+        Be more robust against empty message receiver names in incoming messages
+        https://bugs.webkit.org/show_bug.cgi?id=113833
+        <rdar://problem/13284433>
+
+        Reviewed by Beth Dakin.
+
+        Turns out that we either send or receive messages whose receiver names are empty. This leads to bad things when we try to look
+        up the message receiver name in a hash map since the empty name is used to represent an empty hash map value.
+
+        * Platform/CoreIPC/Connection.cpp:
+        (CoreIPC::Connection::addWorkQueueMessageReceiverOnConnectionWorkQueue):
+        Sprinkle assertions.
+
+        (CoreIPC::Connection::processIncomingMessage):
+        If the message receiver name is not valid, make sure to call didReceiveInvalidMessage on the client thread.
+
+        (CoreIPC::Connection::dispatchDidReceiveInvalidMessage):
+        Add new helper function.
+
 2013-04-02  Simon Cooper  <scoo...@apple.com>
 
         [Mac][WK2] Don’t let plug-ins use System V shared memory

Modified: trunk/Source/WebKit2/Platform/CoreIPC/Connection.cpp (147507 => 147508)

--- trunk/Source/WebKit2/Platform/CoreIPC/Connection.cpp	2013-04-02 23:31:18 UTC (rev 147507)
+++ trunk/Source/WebKit2/Platform/CoreIPC/Connection.cpp	2013-04-02 23:34:22 UTC (rev 147508)
@@ -271,7 +271,10 @@
 
 void Connection::addWorkQueueMessageReceiverOnConnectionWorkQueue(StringReference messageReceiverName, WorkQueue* workQueue, WorkQueueMessageReceiver* workQueueMessageReceiver)
 {
+    ASSERT(workQueue);
+    ASSERT(workQueueMessageReceiver);
     ASSERT(!m_workQueueMessageReceivers.contains(messageReceiverName));
+
     m_workQueueMessageReceivers.add(messageReceiverName, std::make_pair(workQueue, workQueueMessageReceiver));
 }
 
@@ -607,12 +610,19 @@
 {
     OwnPtr<MessageDecoder> message = incomingMessage;
 
+    ASSERT(!message->messageReceiverName().isEmpty());
+    ASSERT(!message->messageName().isEmpty());
+
     if (message->messageReceiverName() == "IPC" && message->messageName() == "SyncMessageReply") {
         processIncomingSyncReply(message.release());
         return;
     }
 
-    // Check if any work queue message receivers are interested in this message.
+    if (!m_workQueueMessageReceivers.isValidKey(message->messageReceiverName())) {
+        m_clientRunLoop->dispatch(bind(&Connection::dispatchDidReceiveInvalidMessage, this, message->messageReceiverName().toString(), message->messageName().toString()));
+        return;
+    }
+
     HashMap<StringReference, std::pair<RefPtr<WorkQueue>, RefPtr<WorkQueueMessageReceiver> > >::const_iterator it = m_workQueueMessageReceivers.find(message->messageReceiverName());
     if (it != m_workQueueMessageReceivers.end()) {
         it->value.first->dispatch(bind(&Connection::dispatchWorkQueueMessageReceiverMessage, this, it->value.second, message.release().leakPtr()));
@@ -734,6 +744,16 @@
         sendSyncReply(adoptPtr(static_cast<MessageEncoder*>(replyEncoder.leakPtr())));
 }
 
+void Connection::dispatchDidReceiveInvalidMessage(const CString& messageReceiverNameString, const CString& messageNameString)
+{
+    ASSERT(RunLoop::current() == m_clientRunLoop);
+
+    if (!m_client)
+        return;
+
+    m_client->didReceiveInvalidMessage(this, StringReference(messageReceiverNameString.data(), messageReceiverNameString.length()), StringReference(messageNameString.data(), messageNameString.length()));
+}
+
 void Connection::didFailToSendSyncMessage()
 {
     if (!m_shouldExitOnSyncMessageSendFailure)

Modified: trunk/Source/WebKit2/Platform/CoreIPC/Connection.h (147507 => 147508)

--- trunk/Source/WebKit2/Platform/CoreIPC/Connection.h	2013-04-02 23:31:18 UTC (rev 147507)
+++ trunk/Source/WebKit2/Platform/CoreIPC/Connection.h	2013-04-02 23:34:22 UTC (rev 147508)
@@ -216,6 +216,7 @@
     void dispatchMessage(PassOwnPtr<MessageDecoder>);
     void dispatchMessage(MessageDecoder&);
     void dispatchSyncMessage(MessageDecoder&);
+    void dispatchDidReceiveInvalidMessage(const CString& messageReceiverNameString, const CString& messageNameString);
     void didFailToSendSyncMessage();
 
     // Can be called on any thread.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes