227247 2021-06-21 20:53:55 -0700 [Cocoa] Force a copy of font data when receiving it from the untrusted web process 2021-06-22 00:42:17 -0700 1 1 1 Unclassified WebKit New Bugs WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mmaxfield mmaxfield dino jonlee mjs simon.fraser thorton webkit-bug-importer oldest_to_newest 1771589 0 mmaxfield 2021-06-21 20:53:55 -0700 [Cocoa] Force a copy of font data when receiving it from the untrusted web process 1771591 1 431943 mmaxfield 2021-06-21 20:57:32 -0700 Created attachment 431943 Patch 1771592 2 mmaxfield 2021-06-21 20:58:20 -0700 <rdar://problem/70825675> 1771599 3 431943 mjs 2021-06-21 21:30:25 -0700 Comment on attachment 431943 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=431943&action=review r=me, but see comment regarding testing. > Source/WebKit/ChangeLog:14 > + No new tests because there is no behavior change. There's no behavior change if all goes well, but there is a behavior change in the case of a compromised WebContent process. It should be possible to add some kind of internal interface that makes WebCore send over font data and then scribble over it with random timing, which would hopefully eventually crash without this patch, and then show with this patch it doesn't crash. I don't know how practical that is though. 1771616 4 ews-feeder 2021-06-22 00:42:15 -0700 Committed r279106 (239023@main): <https://commits.webkit.org/239023@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 431943. 431943 2021-06-21 20:57:32 -0700 2021-06-22 00:42:16 -0700 Patch bug-227247-20210621205731.patch text/plain 3223 mmaxfield U3VidmVyc2lvbiBSZXZpc2lvbjogMjc5MDg2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDNkMThkNTVjOWI2Y2NhNDA0 ZjdlN2E4YWFkN2ViOGQyYjVkYTMzZTguLmY4YTQ0MjU5NjhiMWM4M2MzMjhjOWU5MDQ0MzgyYmZm MDQ0OGE5N2UgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjEgQEAKKzIwMjEtMDYtMjEgIE15bGVzIEMu IE1heGZpZWxkICA8bW1heGZpZWxkQGFwcGxlLmNvbT4KKworICAgICAgICBbQ29jb2FdIEZvcmNl IGEgY29weSBvZiBmb250IGRhdGEgd2hlbiByZWNlaXZpbmcgaXQgZnJvbSB0aGUgdW50cnVzdGVk IHdlYiBwcm9jZXNzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNn aT9pZD0yMjcyNDcKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzcwODI1Njc1PgorCisgICAgICAg IFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFNlbmRpbmcgYSBTaGFyZWRC dWZmZXIgYWNyb3NzIElQQyBpcyBpbXBsZW1lbnRlZCBieSBoYXZpbmcgdGhlIHJlY2VpdmVyIG1h cCBhIHNobWVtIGludG8gaXRzIGFkZHJlc3Mgc3BhY2UuIE9uCisgICAgICAgIHRoZSBzZW5kZXIn cyBzaWRlLCB0aGUgc2htZW0gc3RpbGwgZXhpc3RzLCBhbmQgYSBjb21wcm9taXNlZCB3ZWIgcHJv Y2VzcyBjb3VsZCBzY3JpYmJsZSBkYXRhIGludG8gaXQgYWZ0ZXIKKyAgICAgICAgc2VuZGluZyBp dC4gU28sIHdoZW4gdGhlIEdQVSBwcm9jZXNzIHJlY2VpdmVzIHRoZSBmb250IGRhdGEsIHdlIG5l ZWQgdG8gbWFrZSBhIGNvcHkgb2YgaXQgbG9jYWxseSB0byBtYWtlIHN1cmUKKyAgICAgICAgdGhl IGRhdGEgY2FuJ3QgY2hhbmdlIG91dCBmcm9tIHVuZGVyIHVzLgorCisgICAgICAgIE5vIG5ldyB0 ZXN0cyBiZWNhdXNlIHRoZXJlIGlzIG5vIGJlaGF2aW9yIGNoYW5nZS4KKworICAgICAgICAqIFNo YXJlZC9Db2NvYS9XZWJDb3JlQXJndW1lbnRDb2RlcnNDb2NvYS5tbToKKyAgICAgICAgKElQQzo6 QXJndW1lbnRDb2RlcjxSZWY8V2ViQ29yZTo6Rm9udD4+OjpkZWNvZGVQbGF0Zm9ybURhdGEpOgor CiAyMDIxLTA2LTIxICBNeWxlcyBDLiBNYXhmaWVsZCAgPG1tYXhmaWVsZEBhcHBsZS5jb20+CiAK ICAgICAgICAgRml4IEFwcGxlIGludGVybmFsIGJ1aWxkCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2Vi S2l0L1NoYXJlZC9Db2NvYS9XZWJDb3JlQXJndW1lbnRDb2RlcnNDb2NvYS5tbSBiL1NvdXJjZS9X ZWJLaXQvU2hhcmVkL0NvY29hL1dlYkNvcmVBcmd1bWVudENvZGVyc0NvY29hLm1tCmluZGV4IGY4 MjE4OWJlZjkxYWE0MWMxNzZjNzZkYmMyYjQwNzhjMzAwZjZhMTAuLjk5MzRiNjExYjU5YmNlYTE2 ZTFkOTY4NmNjNDYxNDNjODMyNGI1MTAgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvU2hhcmVk L0NvY29hL1dlYkNvcmVBcmd1bWVudENvZGVyc0NvY29hLm1tCisrKyBiL1NvdXJjZS9XZWJLaXQv U2hhcmVkL0NvY29hL1dlYkNvcmVBcmd1bWVudENvZGVyc0NvY29hLm1tCkBAIC01NDEsMTIgKzU0 MSwxNSBAQCBzdGQ6Om9wdGlvbmFsPFdlYkNvcmU6OkZvbnRQbGF0Zm9ybURhdGE+IEFyZ3VtZW50 Q29kZXI8UmVmPFdlYkNvcmU6OkZvbnQ+Pjo6ZGVjbwogICAgICAgICBpZiAoIWZvbnRGYWNlRGF0 YSkKICAgICAgICAgICAgIHJldHVybiBzdGQ6Om51bGxvcHQ7CiAKKyAgICAgICAgLy8gVXBvbiBy ZWNlaXB0LCBjb3B5IHRoZSBkYXRhIGZvciBzZWN1cml0eSwgc28gdGhlIHNlbmRlciBjYW4ndCBz Y3JpYmJsZSBvdmVyIGl0IHdoaWxlIHdlJ3JlIHVzaW5nIGl0LgorICAgICAgICBhdXRvIGxvY2Fs Rm9udEZhY2VEYXRhID0gV2ViQ29yZTo6U2hhcmVkQnVmZmVyOjpjcmVhdGUoZm9udEZhY2VEYXRh LnZhbHVlKCktPmRhdGEoKSwgZm9udEZhY2VEYXRhLnZhbHVlKCktPnNpemUoKSk7CisKICAgICAg ICAgc3RkOjpvcHRpb25hbDxTdHJpbmc+IGl0ZW1JbkNvbGxlY3Rpb247CiAgICAgICAgIGRlY29k ZXIgPj4gaXRlbUluQ29sbGVjdGlvbjsKICAgICAgICAgaWYgKCFpdGVtSW5Db2xsZWN0aW9uKQog ICAgICAgICAgICAgcmV0dXJuIHN0ZDo6bnVsbG9wdDsKIAotICAgICAgICBhdXRvIGZvbnRDdXN0 b21QbGF0Zm9ybURhdGEgPSBjcmVhdGVGb250Q3VzdG9tUGxhdGZvcm1EYXRhKCpmb250RmFjZURh dGEsICppdGVtSW5Db2xsZWN0aW9uKTsKKyAgICAgICAgYXV0byBmb250Q3VzdG9tUGxhdGZvcm1E YXRhID0gY3JlYXRlRm9udEN1c3RvbVBsYXRmb3JtRGF0YShsb2NhbEZvbnRGYWNlRGF0YSwgKml0 ZW1JbkNvbGxlY3Rpb24pOwogICAgICAgICBpZiAoIWZvbnRDdXN0b21QbGF0Zm9ybURhdGEpCiAg ICAgICAgICAgICByZXR1cm4gc3RkOjpudWxsb3B0OwogICAgICAgICBhdXRvIGJhc2VGb250RGVz Y3JpcHRvciA9IGZvbnRDdXN0b21QbGF0Zm9ybURhdGEtPmZvbnREZXNjcmlwdG9yLmdldCgpOwpA QCAtNTU1LDcgKzU1OCw3IEBAIHN0ZDo6b3B0aW9uYWw8V2ViQ29yZTo6Rm9udFBsYXRmb3JtRGF0 YT4gQXJndW1lbnRDb2RlcjxSZWY8V2ViQ29yZTo6Rm9udD4+OjpkZWNvCiAgICAgICAgIGF1dG8g Zm9udERlc2NyaXB0b3IgPSBhZG9wdENGKENURm9udERlc2NyaXB0b3JDcmVhdGVDb3B5V2l0aEF0 dHJpYnV0ZXMoYmFzZUZvbnREZXNjcmlwdG9yLCBhdHRyaWJ1dGVzLT5nZXQoKSkpOwogICAgICAg ICBhdXRvIGN0Rm9udCA9IGFkb3B0Q0YoQ1RGb250Q3JlYXRlV2l0aEZvbnREZXNjcmlwdG9yKGZv bnREZXNjcmlwdG9yLmdldCgpLCAqc2l6ZSwgbnVsbHB0cikpOwogCi0gICAgICAgIGF1dG8gY3Jl YXRpb25EYXRhID0gV2ViQ29yZTo6Rm9udFBsYXRmb3JtRGF0YTo6Q3JlYXRpb25EYXRhIHsgKmZv bnRGYWNlRGF0YSwgKml0ZW1JbkNvbGxlY3Rpb24gfTsKKyAgICAgICAgYXV0byBjcmVhdGlvbkRh dGEgPSBXZWJDb3JlOjpGb250UGxhdGZvcm1EYXRhOjpDcmVhdGlvbkRhdGEgeyBsb2NhbEZvbnRG YWNlRGF0YSwgKml0ZW1JbkNvbGxlY3Rpb24gfTsKICAgICAgICAgcmV0dXJuIFdlYkNvcmU6OkZv bnRQbGF0Zm9ybURhdGEoY3RGb250LmdldCgpLCAqc2l6ZSwgKnN5bnRoZXRpY0JvbGQsICpzeW50 aGV0aWNPYmxpcXVlLCAqb3JpZW50YXRpb24sICp3aWR0aFZhcmlhbnQsICp0ZXh0UmVuZGVyaW5n TW9kZSwgJmNyZWF0aW9uRGF0YSk7CiAgICAgfQogCg==