Bug 53617

Summary:	uint64_t to size_t conversion can lead to unexpected behavior in CoreIPC
Product:	WebKit	Reporter:	Adam Roben (:aroben) <aroben>
Component:	WebKit2	Assignee:	Nobody <webkit-unassigned>
Status:	NEW
Severity:	Normal	CC:	andersca, darin
Priority:	P2	Keywords:	InRadar
Version:	528+ (Nightly build)
Hardware:	All
OS:	All

Adam Roben (:aroben)

Reported 2011-02-02 12:17:20 PST

If a function like ArgumentDecoder::decodeBytes [1] decodes a size greater than std::numeric_limits<size_t>::max(), we'll end up calling buffer.resize(0) and then trying to memcpy 0 bytes into the null buffer. This is very strange behavior, and probably unexpected. It would likely be better to detect the overflow and just bail out. 1. http://trac.webkit.org/browser/trunk/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp?rev=77378#L95

Attachments
Add attachment proposed patch, testcase, etc.

Adam Roben (:aroben)

Comment 1 2011-02-02 12:17:44 PST

See bug 53615, and especially bug 53615 comment 4.

Adam Roben (:aroben)

Comment 2 2011-02-02 12:25:12 PST

<rdar://problem/8949884>

Note You need to log in before you can comment on or make changes to this bug.