Reserve Vector capacity in VectorArgumentCoder<false, T, inlineCapacity>::decode() as we know the size of the Vector in advance.
Created attachment 258152 [details] Patch
Comment on attachment 258152 [details] Patch r=me, so obvious!
Comment on attachment 258152 [details] Patch Clearing flags on attachment: 258152 Committed r187812: <http://trac.webkit.org/changeset/187812>
All reviewed patches have been landed. Closing bug.
This is wrong. This means that a malicious web process could send a huge number and crash the UI process. Please revert this.
Reverted r187812 for reason: This is not safe Committed r187865: <http://trac.webkit.org/changeset/187865>
(In reply to comment #5) > This is wrong. This means that a malicious web process could send a huge > number and crash the UI process. Please revert this. Without this change, what happens if the web process sends a huge number for size?