Bug 241813

Summary:

std::variant decoding with out-of-bounds index should fail instead of decoding the 0'th type

Product:

WebKit

Reporter:

Alex Christensen <achristensen>

Component:

WebKit2

Assignee:

Alex Christensen <achristensen>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cdumez, kkinnunen, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Alex Christensen 2022-06-21 11:50:24 PDT

Doesn't really decrease any powers of a compromised process, but IPC bounds checks are generally a good idea.  This prevents a debug assertion in fuzzers.

Comment 1 Alex Christensen 2022-06-21 11:51:35 PDT

Created attachment 460377 [details]
Patch

Comment 2 Alex Christensen 2022-06-21 11:58:38 PDT

See rdar://82979527

Comment 3 Chris Dumez 2022-06-21 12:46:24 PDT

Comment on attachment 460377 [details]
Patch

r=me

Comment 4 EWS 2022-06-21 20:23:03 PDT

Committed r295719 (251724@main): <https://commits.webkit.org/251724@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 460377 [details].

Comment 5 Radar WebKit Bug Importer 2022-06-21 20:24:13 PDT

<rdar://problem/95657318>

Comment 6 Kimmo Kinnunen 2022-06-28 00:41:30 PDT

FWIW, the added `if` is actually dead code since bug 241547, as there are no callers with `i != index`. It's just an artefact of how the recursion for variadic templates is written. E.g. there's no fuzzer in the world that would've hit that assertion.