Bug 224214

Summary: IPC::decodeObject null dereference in decodeArrayInternal()
Product: WebKit Reporter: Ian Gilbert <iang>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, ews-feeder, kkinnunen, product-security, rniwa, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Ian Gilbert
Reported 2021-04-05 16:21:53 PDT
decodeObject can return { nullptr }, which is a valid object but doesn't have a value. decodeArrayInternal checks that an object is returned but not that a value can be resolved.
Attachments
Patch (3.48 KB, patch)
2021-04-05 16:56 PDT, Ian Gilbert 		no flags
DetailsFormatted DiffDiff
Patch (3.51 KB, patch)
2021-04-05 21:17 PDT, Ian Gilbert 		no flags
DetailsFormatted DiffDiff
Patch (3.52 KB, patch)
2021-04-06 00:03 PDT, Ian Gilbert 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Ian Gilbert
Comment 1 2021-04-05 16:22:19 PDT
<rdar://problem/74599877>
Ian Gilbert
Comment 2 2021-04-05 16:32:50 PDT
Filed this as security but I'm pretty sure it isn't.
Ian Gilbert
Comment 3 2021-04-05 16:56:17 PDT
Created attachment 425223 [details] Patch
Ryosuke Niwa
Comment 4 2021-04-05 17:36:25 PDT
Comment on attachment 425223 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425223&action=review > LayoutTests/ipc/decode-object-array-crash.html:13 > +</script> Can we spit out PASS here like this? document.write('PASS') so that we can be sure that the code ran 'til completion instead of exiting early due to syntax error, etc...
Ian Gilbert
Comment 5 2021-04-05 21:17:20 PDT
Created attachment 425238 [details] Patch
Ryosuke Niwa
Comment 6 2021-04-05 23:40:12 PDT
Comment on attachment 425238 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425238&action=review > LayoutTests/ipc/decode-object-array-crash.html:13 > + document.write('PASS') oh, put this after if!
Ryosuke Niwa
Comment 7 2021-04-05 23:40:34 PDT
Comment on attachment 425238 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425238&action=review > LayoutTests/ipc/decode-object-array-crash.html:4 > +Test passes if it does not crash. Also, please wrap this in <p>~</p>
Ian Gilbert
Comment 8 2021-04-06 00:03:02 PDT
Created attachment 425248 [details] Patch
EWS
Comment 9 2021-04-06 01:18:55 PDT
commit-queue failed to commit attachment 425248 [details] to WebKit repository. To retry, please set cq+ flag again.
Ryosuke Niwa
Comment 10 2021-04-06 03:01:33 PDT
Comment on attachment 425248 [details] Patch Clearing flags on attachment: 425248 Committed r275501 (236158@main): <https://commits.webkit.org/236158@main>
Ryosuke Niwa
Comment 11 2021-04-06 03:01:35 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.