Bug 241813

Summary:

std::variant decoding with out-of-bounds index should fail instead of decoding the 0'th type

Product:

WebKit

Reporter:

Alex Christensen <achristensen>

Component:

WebKit2

Assignee:

Alex Christensen <achristensen>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cdumez, kkinnunen, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Alex Christensen

Reported 2022-06-21 11:50:24 PDT

Doesn't really decrease any powers of a compromised process, but IPC bounds checks are generally a good idea. This prevents a debug assertion in fuzzers.

Attachments
Patch (1.16 KB, patch) 2022-06-21 11:51 PDT, Alex Christensen	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alex Christensen

Comment 1 2022-06-21 11:51:35 PDT

Created attachment 460377 [details] Patch

Alex Christensen

Comment 2 2022-06-21 11:58:38 PDT

See rdar://82979527

Chris Dumez

Comment 3 2022-06-21 12:46:24 PDT

Comment on attachment 460377 [details] Patch r=me

EWS

Comment 4 2022-06-21 20:23:03 PDT

Committed r295719 (251724@main): <https://commits.webkit.org/251724@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 460377 [details].

Radar WebKit Bug Importer

Comment 5 2022-06-21 20:24:13 PDT

<rdar://problem/95657318>

Kimmo Kinnunen

Comment 6 2022-06-28 00:41:30 PDT

FWIW, the added `if` is actually dead code since bug 241547, as there are no callers with `i != index`. It's just an artefact of how the recursion for variadic templates is written. E.g. there's no fuzzer in the world that would've hit that assertion.

Note You need to log in before you can comment on or make changes to this bug.