Bug 147619 - [WK2] Reserve Vector capacity in VectorArgumentCoder<false, T, inlineCapacity>::decode()
Summary: [WK2] Reserve Vector capacity in VectorArgumentCoder<false, T, inlineCapacity...
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-03 21:05 PDT by Chris Dumez
Modified: 2015-08-08 14:32 PDT (History)
6 users (show)

See Also:

Attachments
Patch (1.66 KB, patch)
2015-08-03 21:06 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2015-08-03 21:05:52 PDT 
Reserve Vector capacity in VectorArgumentCoder<false, T, inlineCapacity>::decode() as we know the size of the Vector in advance.
Comment 1 Chris Dumez 2015-08-03 21:06:50 PDT 
Created attachment 258152 [details]
Patch
Comment 2 Andreas Kling 2015-08-03 21:13:33 PDT 
Comment on attachment 258152 [details]
Patch

r=me, so obvious!
Comment 3 WebKit Commit Bot 2015-08-03 22:02:03 PDT 
Comment on attachment 258152 [details]
Patch

Clearing flags on attachment: 258152

Committed r187812: <http://trac.webkit.org/changeset/187812>
Comment 4 WebKit Commit Bot 2015-08-03 22:02:08 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 5 Anders Carlsson 2015-08-04 10:06:00 PDT 
This is wrong. This means that a malicious web process could send a huge number and crash the UI process. Please revert this.
Comment 6 Chris Dumez 2015-08-04 10:12:30 PDT 
Reverted r187812 for reason:

This is not safe

Committed r187865: <http://trac.webkit.org/changeset/187865>
Comment 7 Darin Adler 2015-08-08 14:32:37 PDT 
(In reply to comment #5)
> This is wrong. This means that a malicious web process could send a huge
> number and crash the UI process. Please revert this.

Without this change, what happens if the web process sends a huge number for size?