Bug 209131
| Summary: | Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size) | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Fujii Hironori <fujii.hironori> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, darin |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | 209132, 209133, 209219, 209270 | ||
| Bug Blocks: | |||
Fujii Hironori
Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)
(In reply to Darin Adler from bug #207324 comment #5)
>
> I see the same mistake in:
>
> 1) decodeCFData in CertificateInfo.h
> 2) AuthenticatorResponseData::decode where it also uses ArrayBuffer::create
> but should be using ArrayBuffer::tryCreate
> 3) SerializedScriptValue::decode
> 4) decodeSharedBuffer and decodeTypesAndData in WebCoreArgumentCoders.cpp
>
> We need someone to fix all of those. May not be as easy to write tests for
> those.
Let's fix them.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Brent Fulgham
All subtasks are complete. Closing!