Summary: | WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Fujii Hironori <Hironori.Fujii> | ||||||||||
Component: | WebKit2 | Assignee: | Fujii Hironori <Hironori.Fujii> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Normal | CC: | darin, webkit-bug-importer | ||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||
Version: | WebKit Nightly Build | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
Bug Depends on: | |||||||||||||
Bug Blocks: | 209131 | ||||||||||||
Attachments: |
|
Description
Fujii Hironori
2020-03-17 21:35:34 PDT
Created attachment 393822 [details]
Patch
Created attachment 393827 [details]
Patch
Created attachment 393828 [details]
Patch
Comment on attachment 393828 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393828&action=review > Source/WebKit/Shared/WebCoreArgumentCoders.cpp:158 > + if (!decoder.bufferIsLargeEnoughToContain<unsigned char>(bufferSize)) > + return false; This *needs* to be inside the #if USE(UNIX_DOMAIN_SOCKETS) and should be uint8_t, not unsigned char. > Source/WebKit/Shared/WebCoreArgumentCoders.cpp:199 > + data.resize(0); This is not needed. We can and should rely on being passed an empty vector. > Source/WebKit/Shared/WebCoreArgumentCoders.cpp:202 > decodeSharedBuffer(decoder, buffer); Strange and incorrect that this does not check the return result. Should say: if (!decodeSharedBuffer(decoder, buffer)) return false; Thank you for the review. Will fix. Created attachment 393901 [details]
Patch
Comment on attachment 393901 [details] Patch Clearing flags on attachment: 393901 Committed r258675: <https://trac.webkit.org/changeset/258675> All reviewed patches have been landed. Closing bug. |