|Summary:||std::variant decoding with out-of-bounds index should fail instead of decoding the 0'th type|
|Product:||WebKit||Reporter:||Alex Christensen <achristensen>|
|Component:||WebKit2||Assignee:||Alex Christensen <achristensen>|
|Severity:||Normal||CC:||cdumez, kkinnunen, webkit-bug-importer|
|Version:||WebKit Nightly Build|
Description Alex Christensen 2022-06-21 11:50:24 PDT
Doesn't really decrease any powers of a compromised process, but IPC bounds checks are generally a good idea. This prevents a debug assertion in fuzzers.
Comment 4 EWS 2022-06-21 20:23:03 PDT
Committed r295719 (251724@main): <https://commits.webkit.org/251724@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 460377 [details].
Comment 6 Kimmo Kinnunen 2022-06-28 00:41:30 PDT
FWIW, the added `if` is actually dead code since bug 241547, as there are no callers with `i != index`. It's just an artefact of how the recursion for variadic templates is written. E.g. there's no fuzzer in the world that would've hit that assertion.