Bug 147619

Summary:

[WK2] Reserve Vector capacity in VectorArgumentCoder<false, T, inlineCapacity>::decode()

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

WebKit2

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED INVALID

Severity:

Normal

CC:

andersca, benjamin, commit-queue, darin, kling, sam

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Chris Dumez 2015-08-03 21:05:52 PDT

Reserve Vector capacity in VectorArgumentCoder<false, T, inlineCapacity>::decode() as we know the size of the Vector in advance.

Comment 1 Chris Dumez 2015-08-03 21:06:50 PDT

Created attachment 258152 [details]
Patch

Comment 2 Andreas Kling 2015-08-03 21:13:33 PDT

Comment on attachment 258152 [details]
Patch

r=me, so obvious!

Comment 3 WebKit Commit Bot 2015-08-03 22:02:03 PDT

Comment on attachment 258152 [details]
Patch

Clearing flags on attachment: 258152

Committed r187812: <http://trac.webkit.org/changeset/187812>

Comment 4 WebKit Commit Bot 2015-08-03 22:02:08 PDT

All reviewed patches have been landed.  Closing bug.

Comment 5 Anders Carlsson 2015-08-04 10:06:00 PDT

This is wrong. This means that a malicious web process could send a huge number and crash the UI process. Please revert this.

Comment 6 Chris Dumez 2015-08-04 10:12:30 PDT

Reverted r187812 for reason:

This is not safe

Committed r187865: <http://trac.webkit.org/changeset/187865>

Comment 7 Darin Adler 2015-08-08 14:32:37 PDT

(In reply to comment #5)
> This is wrong. This means that a malicious web process could send a huge
> number and crash the UI process. Please revert this.

Without this change, what happens if the web process sends a huge number for size?