Bug 233148

Summary: Do some hardening in IPC::createMessageDecoder()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, darin, ggaren, kkinnunen, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Chris Dumez 2021-11-15 14:37:22 PST 
Do some hardening in IPC::createMessageDecoder().
Comment 1 Chris Dumez 2021-11-15 14:37:52 PST 
<rdar://75139294>
Comment 2 Chris Dumez 2021-11-15 14:51:50 PST 
Created attachment 444307 [details]
Patch
Comment 3 Darin Adler 2021-11-15 17:37:44 PST 
Comment on attachment 444307 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=444307&action=review

> Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm:438
> +    auto sizeWithPortDescriptors = CheckedSize { sizeof(mach_msg_header_t) } + sizeof(mach_msg_body_t) + numberOfPortDescriptors * sizeof(mach_msg_port_descriptor_t);

Could add the first two sizes inside CheckedSize.

Is the numberOfPortDescriptors multiplication safe without CheckedSize? Currently it’s converted to CheckedSize only after multiplying.

> Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm:483
> +    auto messageBodySize = CheckedSize { header->msgh_size } - sizeWithPortDescriptors;

Not important to have the CheckedSize cast here.
Comment 4 Chris Dumez 2021-11-16 07:16:44 PST 
Created attachment 444375 [details]
Patch
Comment 5 EWS 2021-11-16 08:51:38 PST 
Committed r285865 (244291@main): <https://commits.webkit.org/244291@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 444375 [details].