Bug 233148

Summary: Do some hardening in IPC::createMessageDecoder()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, darin, ggaren, kkinnunen, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Chris Dumez
Reported 2021-11-15 14:37:22 PST
Do some hardening in IPC::createMessageDecoder().
Attachments
Patch (5.84 KB, patch)
2021-11-15 14:51 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (5.84 KB, patch)
2021-11-16 07:16 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2021-11-15 14:37:52 PST
<rdar://75139294>
Chris Dumez
Comment 2 2021-11-15 14:51:50 PST
Created attachment 444307 [details] Patch
Darin Adler
Comment 3 2021-11-15 17:37:44 PST
Comment on attachment 444307 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=444307&action=review > Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm:438 > + auto sizeWithPortDescriptors = CheckedSize { sizeof(mach_msg_header_t) } + sizeof(mach_msg_body_t) + numberOfPortDescriptors * sizeof(mach_msg_port_descriptor_t); Could add the first two sizes inside CheckedSize. Is the numberOfPortDescriptors multiplication safe without CheckedSize? Currently it’s converted to CheckedSize only after multiplying. > Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm:483 > + auto messageBodySize = CheckedSize { header->msgh_size } - sizeWithPortDescriptors; Not important to have the CheckedSize cast here.
Chris Dumez
Comment 4 2021-11-16 07:16:44 PST
Created attachment 444375 [details] Patch
EWS
Comment 5 2021-11-16 08:51:38 PST
Committed r285865 (244291@main): <https://commits.webkit.org/244291@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 444375 [details].
Note You need to log in before you can comment on or make changes to this bug.