Bug 209133

Summary: AuthenticatorResponseData::decode should check bufferIsLargeEnoughToContain before allocating buffers
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: WebCore Misc.Assignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, ews-watchlist, jiewen_tan, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 209131    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

Fujii Hironori
Reported 2020-03-16 01:13:52 PDT
AuthenticatorResponseData::decode should check bufferIsLargeEnoughToContain before allocating buffers This is a sub-task of Bug 209131. Bug 209131 – Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)
Attachments
Patch (4.66 KB, patch)
2020-03-16 01:17 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (4.71 KB, patch)
2020-03-16 01:32 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (4.71 KB, patch)
2020-03-16 14:29 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (7.19 KB, patch)
2020-03-18 14:30 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (7.31 KB, patch)
2020-03-18 18:14 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2020-03-16 01:17:47 PDT
Created attachment 393635 [details] Patch
Fujii Hironori
Comment 2 2020-03-16 01:32:50 PDT
Created attachment 393637 [details] Patch
Jiewen Tan
Comment 3 2020-03-16 13:12:30 PDT
Comment on attachment 393637 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393637&action=review Please fix all build failures. > Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:114 > + if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(rawIdLength)) This doesn't seem to be a valid C++ expression. > Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:134 > + if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(attestationObjectLength)) This doesn't seem to be a valid C++ expression. > Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:150 > + if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(authenticatorDataLength)) This doesn't seem to be a valid C++ expression. > Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:163 > + if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(signatureLength)) This doesn't seem to be a valid C++ expression. > Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:189 > + if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(userHandleLength)) This doesn't seem to be a valid C++ expression.
Fujii Hironori
Comment 4 2020-03-16 13:24:02 PDT
Thanks. Will fix.
Darin Adler
Comment 5 2020-03-16 13:48:29 PDT
Comment on attachment 393637 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393637&action=review >> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:114 >> + if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(rawIdLength)) > > This doesn't seem to be a valid C++ expression. Needs to be rawIdLength.value(), but otherwise looks valid to me. Are you just saying you’re not familiar with the ".template" syntax?
Fujii Hironori
Comment 6 2020-03-16 14:12:55 PDT
Oh, that part. See https://stackoverflow.com/q/3786360 https://stackoverflow.com/a/613132 Too long, I didn't read neither understand :-)
Fujii Hironori
Comment 7 2020-03-16 14:29:11 PDT
Created attachment 393682 [details] Patch
Jiewen Tan
Comment 8 2020-03-16 14:45:01 PDT
(In reply to Darin Adler from comment #5) > Comment on attachment 393637 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=393637&action=review > > >> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:114 > >> + if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(rawIdLength)) > > > > This doesn't seem to be a valid C++ expression. > > Needs to be rawIdLength.value(), but otherwise looks valid to me. Are you > just saying you’re not familiar with the ".template" syntax? My bad, it has been a while since last time I have to use .template.
Darin Adler
Comment 9 2020-03-18 11:24:55 PDT
Comment on attachment 393682 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393682&action=review > Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:120 > if (!rawIdLength) > return WTF::nullopt; > > - result.rawId = ArrayBuffer::create(rawIdLength.value(), sizeof(uint8_t)); > + if (!decoder.template bufferIsLargeEnoughToContain<uint8_t>(rawIdLength.value())) > + return WTF::nullopt; > + result.rawId = ArrayBuffer::tryCreate(rawIdLength.value(), sizeof(uint8_t)); > + if (!result.rawId) > + return WTF::nullopt; > if (!decoder.decodeFixedLengthData(reinterpret_cast<uint8_t*>(result.rawId->data()), rawIdLength.value(), 1)) > return WTF::nullopt; Feels to me like we should refactor so we can share more code. This pattern over and over again.
Fujii Hironori
Comment 10 2020-03-18 14:24:32 PDT
Comment on attachment 393682 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393682&action=review >> Source/WebCore/Modules/webauthn/AuthenticatorResponseData.h:120 >> return WTF::nullopt; > > Feels to me like we should refactor so we can share more code. This pattern over and over again. Good idea. Will fix.
Fujii Hironori
Comment 11 2020-03-18 14:30:40 PDT
Created attachment 393904 [details] Patch
Fujii Hironori
Comment 12 2020-03-18 18:14:51 PDT
Created attachment 393929 [details] Patch
Fujii Hironori
Comment 13 2020-03-18 20:07:04 PDT
Comment on attachment 393929 [details] Patch Clearing flags on attachment: 393929 Committed r258676: <https://trac.webkit.org/changeset/258676>
Fujii Hironori
Comment 14 2020-03-18 20:07:08 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 15 2020-03-18 20:08:15 PDT
<rdar://problem/60615555>
Note You need to log in before you can comment on or make changes to this bug.