Bug 209219

Summary: WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers
Product: WebKit Reporter: Fujii Hironori <fujii.hironori>
Component: WebKit2Assignee: Fujii Hironori <fujii.hironori>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 209131    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

Fujii Hironori
Reported 2020-03-17 21:35:34 PDT
WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers This is a sub-task of Bug 209131. Bug 209131 – Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)
Attachments
Patch (2.00 KB, patch)
2020-03-17 21:46 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (2.03 KB, patch)
2020-03-18 01:13 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (2.04 KB, patch)
2020-03-18 01:16 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Patch (2.13 KB, patch)
2020-03-18 13:56 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2020-03-17 21:46:48 PDT
Created attachment 393822 [details] Patch
Fujii Hironori
Comment 2 2020-03-18 01:13:42 PDT
Created attachment 393827 [details] Patch
Fujii Hironori
Comment 3 2020-03-18 01:16:32 PDT
Created attachment 393828 [details] Patch
Darin Adler
Comment 4 2020-03-18 11:22:37 PDT
Comment on attachment 393828 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393828&action=review > Source/WebKit/Shared/WebCoreArgumentCoders.cpp:158 > + if (!decoder.bufferIsLargeEnoughToContain<unsigned char>(bufferSize)) > + return false; This *needs* to be inside the #if USE(UNIX_DOMAIN_SOCKETS) and should be uint8_t, not unsigned char. > Source/WebKit/Shared/WebCoreArgumentCoders.cpp:199 > + data.resize(0); This is not needed. We can and should rely on being passed an empty vector. > Source/WebKit/Shared/WebCoreArgumentCoders.cpp:202 > decodeSharedBuffer(decoder, buffer); Strange and incorrect that this does not check the return result. Should say: if (!decodeSharedBuffer(decoder, buffer)) return false;
Fujii Hironori
Comment 5 2020-03-18 13:54:06 PDT
Thank you for the review. Will fix.
Fujii Hironori
Comment 6 2020-03-18 13:56:29 PDT
Created attachment 393901 [details] Patch
Fujii Hironori
Comment 7 2020-03-18 20:00:17 PDT
Comment on attachment 393901 [details] Patch Clearing flags on attachment: 393901 Committed r258675: <https://trac.webkit.org/changeset/258675>
Fujii Hironori
Comment 8 2020-03-18 20:00:21 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 9 2020-03-18 20:01:13 PDT
<rdar://problem/60615337>
Note You need to log in before you can comment on or make changes to this bug.