Bug 210621

Summary:

-[WebPreferences initWithCoder:] should use -[NSCoder decodeValueOfObjCType:at:size:]

Product:

Security

Reporter:

David Kilzer (:ddkilzer) <ddkilzer>

Component:

Security

Assignee:

David Kilzer (:ddkilzer) <ddkilzer>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

andersca, bfulgham, darin, ews-feeder, product-security, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=229121

Attachments:

Description	Flags
Patch v1	none
Patch v1	none
Patch v1 third time	none

David Kilzer (:ddkilzer)

Reported 2020-04-16 15:14:33 PDT

-[WebPreferences initWithCoder:] should use -[NSCoder decodeValueOfObjCType:at:size:]. Found by clang static analyzer: Deprecated method '-decodeValueOfObjCType:at:' is insecure as it can lead to potential buffer overflows. Use the safer '-decodeValueOfObjCType:at:size:' method

Attachments
Patch v1 (1.61 KB, patch) 2020-04-16 15:19 PDT, David Kilzer (:ddkilzer)	no flags	Details Formatted Diff Diff
Patch v1 (1.61 KB, patch) 2020-04-16 15:20 PDT, David Kilzer (:ddkilzer)	no flags	Details Formatted Diff Diff
Patch v1 third time (1.61 KB, patch) 2020-04-16 16:45 PDT, David Kilzer (:ddkilzer)	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2020-04-16 15:14:45 PDT

<rdar://problem/61906458>

David Kilzer (:ddkilzer)

Comment 2 2020-04-16 15:19:46 PDT

Created attachment 396705 [details] Patch v1

David Kilzer (:ddkilzer)

Comment 3 2020-04-16 15:20:18 PDT

Created attachment 396706 [details] Patch v1

David Kilzer (:ddkilzer)

Comment 4 2020-04-16 15:21:37 PDT

(In reply to David Kilzer (:ddkilzer) from comment #3) > Created attachment 396706 [details] > Patch v1 Tired. Uploaded the same patch twice.

David Kilzer (:ddkilzer)

Comment 5 2020-04-16 16:45:56 PDT

Created attachment 396722 [details] Patch v1 third time Sigh. EWS bots won't let me rebuild an obsoleted patch, even if I un-obsolete it.

David Kilzer (:ddkilzer)

Comment 6 2020-04-17 16:55:27 PDT

Patch is ready for review.

EWS

Comment 7 2020-04-18 09:33:08 PDT

Committed r260315: <https://trac.webkit.org/changeset/260315> All reviewed patches have been landed. Closing bug and clearing flags on attachment 396722 [details].

Note You need to log in before you can comment on or make changes to this bug.