Bug 147619

Summary: [WK2] Reserve Vector capacity in VectorArgumentCoder<false, T, inlineCapacity>::decode()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED INVALID    
Severity: Normal CC: andersca, benjamin, commit-queue, darin, kling, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Chris Dumez
Reported 2015-08-03 21:05:52 PDT
Reserve Vector capacity in VectorArgumentCoder<false, T, inlineCapacity>::decode() as we know the size of the Vector in advance.
Attachments
Patch (1.66 KB, patch)
2015-08-03 21:06 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2015-08-03 21:06:50 PDT
Created attachment 258152 [details] Patch
Andreas Kling
Comment 2 2015-08-03 21:13:33 PDT
Comment on attachment 258152 [details] Patch r=me, so obvious!
WebKit Commit Bot
Comment 3 2015-08-03 22:02:03 PDT
Comment on attachment 258152 [details] Patch Clearing flags on attachment: 258152 Committed r187812: <http://trac.webkit.org/changeset/187812>
WebKit Commit Bot
Comment 4 2015-08-03 22:02:08 PDT
All reviewed patches have been landed. Closing bug.
Anders Carlsson
Comment 5 2015-08-04 10:06:00 PDT
This is wrong. This means that a malicious web process could send a huge number and crash the UI process. Please revert this.
Chris Dumez
Comment 6 2015-08-04 10:12:30 PDT
Reverted r187812 for reason: This is not safe Committed r187865: <http://trac.webkit.org/changeset/187865>
Darin Adler
Comment 7 2015-08-08 14:32:37 PDT
(In reply to comment #5) > This is wrong. This means that a malicious web process could send a huge > number and crash the UI process. Please revert this. Without this change, what happens if the web process sends a huge number for size?
Note You need to log in before you can comment on or make changes to this bug.