| Summary: | Ignore badly encoded std::variant IPC messages. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Jean-Yves Avenard [:jya] <jean-yves.avenard> |
| Component: | WebKit2 | Assignee: | Jean-Yves Avenard [:jya] <jean-yves.avenard> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | kkinnunen, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Other | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Pull request: https://github.com/WebKit/WebKit/pull/1472 Committed r295545 (251550@main): <https://commits.webkit.org/251550@main> Reviewed commits have been landed. Closing PR #1472 and removing active labels. |
Seen in 241407 with the ipc/pasteboard-write-custom-data.html test It sends a rubbish buffer over IPC and ensure that the decoder doesn't crash. When using the std::variant<> decoder, the decoder performs a recursive call in order to decode the property type like so: std::variant<T1,T2,T3> obj; decode<std::variant<T1,T2,T3...>>() read std::variant's index into i. VariantCoder<2, Types...>::decode(decoder, *i); VariantCoder<1, Types...>::decode(decoder, *i); VariantCoder<0, Types...>::decode(decoder, *i); If the encoded value of i is nonsensical, we will get into calling VariantCoder<0, Types...>::decode(decoder, *i); We should exit early when we read the value of I if it's greater than the number of types en variant can contain.