Bug 209133

Summary: AuthenticatorResponseData::decode should check bufferIsLargeEnoughToContain before allocating buffers
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: WebCore Misc.Assignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, ews-watchlist, jiewen_tan, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 209131    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

Description Fujii Hironori 2020-03-16 01:13:52 PDT 
AuthenticatorResponseData::decode should check bufferIsLargeEnoughToContain before allocating buffers

This is a sub-task of Bug 209131.
Bug 209131 – Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)
Comment 1 Fujii Hironori 2020-03-16 01:17:47 PDT 
Created attachment 393635 [details]
Patch
Comment 2 Fujii Hironori 2020-03-16 01:32:50 PDT 
Created attachment 393637 [details]
Patch
Comment 3 Jiewen Tan 2020-03-16 13:12:30 PDT 
Comment on attachment 393637 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393637&action=review

Please fix all build failures.

> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:114
> +    if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(rawIdLength))

This doesn't seem to be a valid C++ expression.

> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:134
> +        if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(attestationObjectLength))

This doesn't seem to be a valid C++ expression.

> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:150
> +    if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(authenticatorDataLength))

This doesn't seem to be a valid C++ expression.

> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:163
> +    if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(signatureLength))

This doesn't seem to be a valid C++ expression.

> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:189
> +    if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(userHandleLength))

This doesn't seem to be a valid C++ expression.
Comment 4 Fujii Hironori 2020-03-16 13:24:02 PDT 
Thanks. Will fix.
Comment 5 Darin Adler 2020-03-16 13:48:29 PDT 
Comment on attachment 393637 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393637&action=review

>> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:114
>> +    if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(rawIdLength))
> 
> This doesn't seem to be a valid C++ expression.

Needs to be rawIdLength.value(), but otherwise looks valid to me. Are you just saying you’re not familiar with the ".template" syntax?
Comment 6 Fujii Hironori 2020-03-16 14:12:55 PDT 
Oh, that part.  See
https://stackoverflow.com/q/3786360
https://stackoverflow.com/a/613132

Too long, I didn't read neither understand :-)
Comment 7 Fujii Hironori 2020-03-16 14:29:11 PDT 
Created attachment 393682 [details]
Patch
Comment 8 Jiewen Tan 2020-03-16 14:45:01 PDT 
(In reply to Darin Adler from comment #5)
> Comment on attachment 393637 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=393637&action=review
> 
> >> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:114
> >> +    if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(rawIdLength))
> > 
> > This doesn't seem to be a valid C++ expression.
> 
> Needs to be rawIdLength.value(), but otherwise looks valid to me. Are you
> just saying you’re not familiar with the ".template" syntax?

My bad, it has been a while since last time I have to use .template.
Comment 9 Darin Adler 2020-03-18 11:24:55 PDT 
Comment on attachment 393682 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393682&action=review

> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:120
>      if (!rawIdLength)
>          return WTF::nullopt;
>  
> -    result.rawId = ArrayBuffer::create(rawIdLength.value(), sizeof(uint8_t));
> +    if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(rawIdLength.value()))
> +        return WTF::nullopt;
> +    result.rawId = ArrayBuffer::tryCreate(rawIdLength.value(), sizeof(uint8_t));
> +    if (!result.rawId)
> +        return WTF::nullopt;
>      if (!decoder.decodeFixedLengthData(reinterpret_cast<uint8_t*>(result.rawId->data()), rawIdLength.value(), 1))
>          return WTF::nullopt;

Feels to me like we should refactor so we can share more code. This pattern over and over again.
Comment 10 Fujii Hironori 2020-03-18 14:24:32 PDT 
Comment on attachment 393682 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393682&action=review

>> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:120
>>          return WTF::nullopt;
> 
> Feels to me like we should refactor so we can share more code. This pattern over and over again.

Good idea. Will fix.
Comment 11 Fujii Hironori 2020-03-18 14:30:40 PDT 
Created attachment 393904 [details]
Patch
Comment 12 Fujii Hironori 2020-03-18 18:14:51 PDT 
Created attachment 393929 [details]
Patch
Comment 13 Fujii Hironori 2020-03-18 20:07:04 PDT 
Comment on attachment 393929 [details]
Patch

Clearing flags on attachment: 393929

Committed r258676: <https://trac.webkit.org/changeset/258676>
Comment 14 Fujii Hironori 2020-03-18 20:07:08 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 15 Radar WebKit Bug Importer 2020-03-18 20:08:15 PDT 
<rdar://problem/60615555>