Bug 224214

Summary: IPC::decodeObject null dereference in decodeArrayInternal()
Product: WebKit Reporter: Ian Gilbert <iang>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, ews-feeder, kkinnunen, product-security, rniwa, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Ian Gilbert 2021-04-05 16:21:53 PDT 
decodeObject can return { nullptr }, which is a valid object but doesn't have a value. decodeArrayInternal checks that an object is returned but not that a value can be resolved.
Comment 1 Ian Gilbert 2021-04-05 16:22:19 PDT 
<rdar://problem/74599877>
Comment 2 Ian Gilbert 2021-04-05 16:32:50 PDT 
Filed this as security but I'm pretty sure it isn't.
Comment 3 Ian Gilbert 2021-04-05 16:56:17 PDT 
Created attachment 425223 [details]
Patch
Comment 4 Ryosuke Niwa 2021-04-05 17:36:25 PDT 
Comment on attachment 425223 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425223&action=review

> LayoutTests/ipc/decode-object-array-crash.html:13
> +</script>

Can we spit out PASS here like this?
document.write('PASS')
so that we can be sure that the code ran 'til completion instead of exiting early due to syntax error, etc...
Comment 5 Ian Gilbert 2021-04-05 21:17:20 PDT 
Created attachment 425238 [details]
Patch
Comment 6 Ryosuke Niwa 2021-04-05 23:40:12 PDT 
Comment on attachment 425238 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425238&action=review

> LayoutTests/ipc/decode-object-array-crash.html:13
> +    document.write('PASS')

oh, put this after if!
Comment 7 Ryosuke Niwa 2021-04-05 23:40:34 PDT 
Comment on attachment 425238 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425238&action=review

> LayoutTests/ipc/decode-object-array-crash.html:4
> +Test passes if it does not crash.

Also, please wrap this in <p>~</p>
Comment 8 Ian Gilbert 2021-04-06 00:03:02 PDT 
Created attachment 425248 [details]
Patch
Comment 9 EWS 2021-04-06 01:18:55 PDT 
commit-queue failed to commit attachment 425248 [details] to WebKit repository. To retry, please set cq+ flag again.
Comment 10 Ryosuke Niwa 2021-04-06 03:01:33 PDT 
Comment on attachment 425248 [details]
Patch

Clearing flags on attachment: 425248

Committed r275501 (236158@main): <https://commits.webkit.org/236158@main>
Comment 11 Ryosuke Niwa 2021-04-06 03:01:35 PDT 
All reviewed patches have been landed.  Closing bug.