Summary: | [WK2] Reserve Vector capacity in VectorArgumentCoder<false, T, inlineCapacity>::decode() | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Chris Dumez <cdumez> | ||||
Component: | WebKit2 | Assignee: | Chris Dumez <cdumez> | ||||
Status: | RESOLVED INVALID | ||||||
Severity: | Normal | CC: | andersca, benjamin, commit-queue, darin, kling, sam | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Chris Dumez
2015-08-03 21:05:52 PDT
Created attachment 258152 [details]
Patch
Comment on attachment 258152 [details]
Patch
r=me, so obvious!
Comment on attachment 258152 [details] Patch Clearing flags on attachment: 258152 Committed r187812: <http://trac.webkit.org/changeset/187812> All reviewed patches have been landed. Closing bug. This is wrong. This means that a malicious web process could send a huge number and crash the UI process. Please revert this. Reverted r187812 for reason: This is not safe Committed r187865: <http://trac.webkit.org/changeset/187865> (In reply to comment #5) > This is wrong. This means that a malicious web process could send a huge > number and crash the UI process. Please revert this. Without this change, what happens if the web process sends a huge number for size? |