Summary: | Guard against possible iterator access outside the bounds of the container | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Brent Fulgham <bfulgham> | ||||||
Component: | WebKit2 | Assignee: | Brent Fulgham <bfulgham> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | achristensen, bfulgham, cdumez, darin, sam | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Brent Fulgham
2017-09-25 15:24:52 PDT
Created attachment 321765 [details]
Patch
Comment on attachment 321765 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=321765&action=review > Source/WebKit/UIProcess/WebPageProxy.cpp:7021 > - ASSERT(iterator != m_urlSchemeHandlersByIdentifier.end()); > + ASSERT_WITH_SECURITY_IMPLICATION(iterator != m_urlSchemeHandlersByIdentifier.end()); > + > + if (iterator == m_urlSchemeHandlersByIdentifier.end()) > + return; If these values are coming from the WebProcess or NetworkProcess, these should be MESSAGE_CHECKs, not assertions. (In reply to Sam Weinig from comment #3) > Comment on attachment 321765 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=321765&action=review > > > Source/WebKit/UIProcess/WebPageProxy.cpp:7021 > > - ASSERT(iterator != m_urlSchemeHandlersByIdentifier.end()); > > + ASSERT_WITH_SECURITY_IMPLICATION(iterator != m_urlSchemeHandlersByIdentifier.end()); > > + > > + if (iterator == m_urlSchemeHandlersByIdentifier.end()) > > + return; > > If these values are coming from the WebProcess or NetworkProcess, these > should be MESSAGE_CHECKs, not assertions. Will do. Created attachment 321820 [details]
Patch
Committed r222520: <http://trac.webkit.org/changeset/222520> Comment on attachment 321820 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=321820&action=review > Source/WebKit/UIProcess/WebPageProxy.cpp:7018 > + MESSAGE_CHECK(iterator != m_urlSchemeHandlersByIdentifier.end()); This seems insufficient. I assume there are values for handlerIdentifier that are not legal hash table keys. We need to MESSAGE_CHECK those before calling find. > Source/WebKit/UIProcess/WebPageProxy.cpp:7026 > + MESSAGE_CHECK(iterator != m_urlSchemeHandlersByIdentifier.end()); Ditto. (In reply to Darin Adler from comment #7) > Comment on attachment 321820 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=321820&action=review > > > Source/WebKit/UIProcess/WebPageProxy.cpp:7018 > > + MESSAGE_CHECK(iterator != m_urlSchemeHandlersByIdentifier.end()); > > This seems insufficient. I assume there are values for handlerIdentifier > that are not legal hash table keys. We need to MESSAGE_CHECK those before > calling find. > > > Source/WebKit/UIProcess/WebPageProxy.cpp:7026 > > + MESSAGE_CHECK(iterator != m_urlSchemeHandlersByIdentifier.end()); > > Ditto. Indeed. We do this elsewhere using MESSAGE_CHECK(HashMap<Key, Value>::isValidKey(rawKey)) I also think you need to do this same type of fix for the other identifier being passed. Probably in WebURLSchemeHandler::startTask() and WebURLSchemeHandler::stopTask(). |