WebKit Bugzilla
Attachment 341800 Details for
Bug 186211
: Make sure that the fencePort received over IPC has the expected disposition (SEND)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186211-20180601161559.patch (text/plain), 3.88 KB, created by
Brent Fulgham
on 2018-06-01 16:16:00 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Brent Fulgham
Created:
2018-06-01 16:16:00 PDT
Size:
3.88 KB
patch
obsolete
>Subversion Revision: 232365 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index c3805cd6a6382d88db6b45552a7c9ae5cc73317d..b70e1707ca15f5e9833e30ca7b641e08dc140783 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,21 @@ >+2018-06-01 Brent Fulgham <bfulgham@apple.com> >+ >+ Make sure that the fencePort received over IPC has the expected disposition (SEND) >+ https://bugs.webkit.org/show_bug.cgi?id=186211 >+ <rdar://problem/37814171> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ It is possible (though very unlikely) for a message to be recevied that has the wrong mach port disposition. >+ If this happens, we shouldn't manipulate the passed mach_port_t or pass it on to other API. We already >+ drop messages that violate this expectation in the IPC layer, but code handling IPC::Attachment data types >+ are not checking this value. >+ >+ * WebProcess/WebPage/WebPage.cpp: >+ (WebKit::WebPage::setTopContentInsetFenced): >+ * WebProcess/cocoa/VideoFullscreenManager.mm: >+ (WebKit::VideoFullscreenManager::setVideoLayerFrameFenced): >+ > 2018-05-31 Brent Fulgham <bfulgham@apple.com> > > [macOS] Add JIT entitlements to WebContent process and plugin process on macOS >diff --git a/Source/WebKit/WebProcess/WebPage/WebPage.cpp b/Source/WebKit/WebProcess/WebPage/WebPage.cpp >index 8daa1180942381b1420865b3c51b8a2590418217..7d30c1afec68cf4857dc122222e5dafbc9833212 100644 >--- a/Source/WebKit/WebProcess/WebPage/WebPage.cpp >+++ b/Source/WebKit/WebProcess/WebPage/WebPage.cpp >@@ -2660,6 +2660,13 @@ void WebPage::setDrawsBackground(bool drawsBackground) > #if PLATFORM(COCOA) > void WebPage::setTopContentInsetFenced(float contentInset, IPC::Attachment fencePort) > { >+ // Check for invalid message receipt. If this is not a send right, something has >+ // gone wrong and we should discard this message. >+ if (fencePort.disposition() != MACH_MSG_TYPE_MOVE_SEND) { >+ LOG(Layers, "WebPage::setTopContentInsetFenced(%g, fencePort) Received an invalid fence port: %d, disposition: %d", contentInset, fencePort.port(), fencePort.disposition()); >+ return; >+ } >+ > m_drawingArea->addFence(MachSendRight::create(fencePort.port())); > > setTopContentInset(contentInset); >diff --git a/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm b/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm >index a80883acf48384704cd350df04af985ef06952b9..5791a04b5643c14940db198618545023ceee4a98 100644 >--- a/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm >+++ b/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm >@@ -564,6 +564,13 @@ void VideoFullscreenManager::setVideoLayerFrameFenced(uint64_t contextId, WebCor > { > LOG(Fullscreen, "VideoFullscreenManager::setVideoLayerFrameFenced(%p, %x)", this, contextId); > >+ // Check for invalid message receipt. If this is not a send right, something has >+ // gone wrong and we should discard this message. >+ if (fencePort.disposition() != MACH_MSG_TYPE_MOVE_SEND) { >+ LOG(Fullscreen, "VideoFullscreenManager::setVideoLayerFrameFenced(%p, %x) Received an invalid fence port: %d, disposition: %d", this, contextId, fencePort.port(), fencePort.disposition()); >+ return; >+ } >+ > RefPtr<VideoFullscreenModelVideoElement> model; > RefPtr<VideoFullscreenInterfaceContext> interface; > std::tie(model, interface) = ensureModelAndInterface(contextId); >@@ -573,8 +580,8 @@ void VideoFullscreenManager::setVideoLayerFrameFenced(uint64_t contextId, WebCor > bounds = FloatRect(0, 0, videoRect.width(), videoRect.height()); > } > >- if (interface->layerHostingContext()) >- interface->layerHostingContext()->setFencePort(fencePort.port()); >+ if (auto* context = interface->layerHostingContext()) >+ context->setFencePort(fencePort.port()); > model->setVideoLayerFrame(bounds); > deallocateSendRightSafely(fencePort.port()); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=341800">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186211
:
341800
|
341837
|
341867