190281 2018-10-04 10:06:03 -0700 Validation in Connection::readBytesFromSocket() is too aggressive 2018-11-21 16:26:19 -0800 1 1 1 Unclassified WebKit Platform WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=171871 InRadar P2 Normal --- 1 annulen annulen cgarcia commit-queue mcatanzaro webkit-bug-importer zan oldest_to_newest 1466394 0 annulen 2018-10-04 10:06:03 -0700 Since r217206 Connection::readBytesFromSocket() validates size of control message. However, it compares cmsg_len with attachmentMaxAmount, while Connection::sendOutgoingMessage() computes it as CMSG_LEN(sizeof(int) * attachmentFDBufferLength) where attachmentFDBufferLength <= attachmentMaxAmount. This mismatch between sender and receiver leads to possibility of assertion failure with large number of attachments, e.g. here 62 attachments have cmsg_length == 264. 1466395 1 351598 annulen 2018-10-04 10:09:04 -0700 Created attachment 351598 Patch 1466950 2 351598 mcatanzaro 2018-10-07 12:54:55 -0700 Comment on attachment 351598 Patch Oh wow, good find. Under what scenario were you hitting this failure? Any way to write a test? Can you add it to https://trac.webkit.org/wiki/WebKitGTK/2.22.x (for 2.22.3) after landing, please? 1467131 3 annulen 2018-10-08 11:45:37 -0700 (In reply to Michael Catanzaro from comment #2) > Comment on attachment 351598 [details] > Patch > > Oh wow, good find. > > Under what scenario were you hitting this failure? It was reproducing with QtWebKit, but not with GTK port. I guess behavior is different because Qt uses UI-side compositing, which is probably a reson why there are so many attachments. >Any way to write a test? No idea from the top of my had. > > Can you add it to https://trac.webkit.org/wiki/WebKitGTK/2.22.x (for 2.22.3) > after landing, please? Sure 1467136 4 351598 commit-queue 2018-10-08 12:12:36 -0700 Comment on attachment 351598 Patch Clearing flags on attachment: 351598 Committed r236928: <https://trac.webkit.org/changeset/236928> 1467137 5 commit-queue 2018-10-08 12:12:37 -0700 All reviewed patches have been landed. Closing bug. 1467138 6 webkit-bug-importer 2018-10-08 12:13:28 -0700 <rdar://problem/45098148> 351598 2018-10-04 10:09:04 -0700 2018-10-08 12:12:36 -0700 Patch bug-190281-20181004200908.patch text/plain 2250 annulen U3VidmVyc2lvbiBSZXZpc2lvbjogMjM2MTA0CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDk4OGQzODhiZjdiZjZmMzdi MWFkODk0MmM1N2EyZDc3MDBmNWMxNTguLjNmMTZkNDdmYTYyYmE5ZTEwNGFjMGYyOGE4MWQ3Yzlm OGNkNzRlOTQgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjEgQEAKKzIwMTgtMTAtMDQgIEtvbnN0YW50 aW4gVG9rYXJldiAgPGFubnVsZW5AeWFuZGV4LnJ1PgorCisgICAgICAgIFZhbGlkYXRpb24gaW4g Q29ubmVjdGlvbjo6cmVhZEJ5dGVzRnJvbVNvY2tldCgpIGlzIHRvbyBhZ2dyZXNzaXZlCisgICAg ICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xOTAyODEKKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBTaW5jZSByMjE3MjA2 IENvbm5lY3Rpb246OnJlYWRCeXRlc0Zyb21Tb2NrZXQoKSB2YWxpZGF0ZXMgc2l6ZSBvZgorICAg ICAgICBjb250cm9sIG1lc3NhZ2UuIEhvd2V2ZXIsIGl0IGNvbXBhcmVzIGNtc2dfbGVuIHdpdGgg YXR0YWNobWVudE1heEFtb3VudCwKKyAgICAgICAgd2hpbGUgQ29ubmVjdGlvbjo6c2VuZE91dGdv aW5nTWVzc2FnZSgpIGNvbXB1dGVzIGl0IGFzCisgICAgICAgIENNU0dfTEVOKHNpemVvZihpbnQp ICogYXR0YWNobWVudEZEQnVmZmVyTGVuZ3RoKSB3aGVyZQorICAgICAgICBhdHRhY2htZW50RkRC dWZmZXJMZW5ndGggPD0gYXR0YWNobWVudE1heEFtb3VudC4gVGhpcyBtaXNtYXRjaCBiZXR3ZWVu CisgICAgICAgIHNlbmRlciBhbmQgcmVjZWl2ZXIgbGVhZHMgdG8gcG9zc2liaWxpdHkgb2YgYXNz ZXJ0aW9uIGZhaWx1cmUgd2l0aCBsYXJnZQorICAgICAgICBudW1iZXIgb2YgYXR0YWNobWVudHMs IGUuZy4gaGVyZSA2MiBhdHRhY2htZW50cyBoYXZlIGNtc2dfbGVuZ3RoID09IDI2NC4KKworICAg ICAgICAqIFBsYXRmb3JtL0lQQy91bml4L0Nvbm5lY3Rpb25Vbml4LmNwcDoKKyAgICAgICAgKElQ Qzo6cmVhZEJ5dGVzRnJvbVNvY2tldCk6CisKIDIwMTgtMDktMTcgIFphbiBEb2JlcnNlayAgPHpk b2JlcnNla0BpZ2FsaWEuY29tPgogCiAgICAgICAgIFVucmV2aWV3ZWQgYnVpbGQgZml4IGFmdGVy IHIyMzYxMDEuCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L1BsYXRmb3JtL0lQQy91bml4L0Nv bm5lY3Rpb25Vbml4LmNwcCBiL1NvdXJjZS9XZWJLaXQvUGxhdGZvcm0vSVBDL3VuaXgvQ29ubmVj dGlvblVuaXguY3BwCmluZGV4IDljMzgwMDQ2ZGRiYWY0NWY4MmVkNGQ2OWY4NWJhMmQ5M2Y2Njk1 YTUuLjRmM2FiMTQ2MDhiNGJmZDJlNjVhMDQxMDJjNGQ0OGFjNWM2YWQ2NTYgMTAwNjQ0Ci0tLSBh L1NvdXJjZS9XZWJLaXQvUGxhdGZvcm0vSVBDL3VuaXgvQ29ubmVjdGlvblVuaXguY3BwCisrKyBi L1NvdXJjZS9XZWJLaXQvUGxhdGZvcm0vSVBDL3VuaXgvQ29ubmVjdGlvblVuaXguY3BwCkBAIC0y NzMsNyArMjczLDcgQEAgc3RhdGljIHNzaXplX3QgcmVhZEJ5dGVzRnJvbVNvY2tldChpbnQgc29j a2V0RGVzY3JpcHRvciwgVmVjdG9yPHVpbnQ4X3Q+JiBidWZmZXIKICAgICAgICAgc3RydWN0IGNt c2doZHIqIGNvbnRyb2xNZXNzYWdlOwogICAgICAgICBmb3IgKGNvbnRyb2xNZXNzYWdlID0gQ01T R19GSVJTVEhEUigmbWVzc2FnZSk7IGNvbnRyb2xNZXNzYWdlOyBjb250cm9sTWVzc2FnZSA9IENN U0dfTlhUSERSKCZtZXNzYWdlLCBjb250cm9sTWVzc2FnZSkpIHsKICAgICAgICAgICAgIGlmIChj b250cm9sTWVzc2FnZS0+Y21zZ19sZXZlbCA9PSBTT0xfU09DS0VUICYmIGNvbnRyb2xNZXNzYWdl LT5jbXNnX3R5cGUgPT0gU0NNX1JJR0hUUykgewotICAgICAgICAgICAgICAgIGlmIChjb250cm9s TWVzc2FnZS0+Y21zZ19sZW4gPCBDTVNHX0xFTigwKSB8fCBjb250cm9sTWVzc2FnZS0+Y21zZ19s ZW4gPiBhdHRhY2htZW50TWF4QW1vdW50KSB7CisgICAgICAgICAgICAgICAgaWYgKGNvbnRyb2xN ZXNzYWdlLT5jbXNnX2xlbiA8IENNU0dfTEVOKDApIHx8IGNvbnRyb2xNZXNzYWdlLT5jbXNnX2xl biA+IENNU0dfTEVOKHNpemVvZihpbnQpICogYXR0YWNobWVudE1heEFtb3VudCkpIHsKICAgICAg ICAgICAgICAgICAgICAgQVNTRVJUX05PVF9SRUFDSEVEKCk7CiAgICAgICAgICAgICAgICAgICAg IGJyZWFrOwogICAgICAgICAgICAgICAgIH0K