Bug 209219 - WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers
Summary: WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before alloca...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Fujii Hironori
URL:
Keywords: InRadar
Depends on:
Blocks: 209131
  Show dependency treegraph
 
Reported: 2020-03-17 21:35 PDT by Fujii Hironori
Modified: 2020-03-18 20:01 PDT (History)
2 users (show)

See Also:


Attachments
Patch (2.00 KB, patch)
2020-03-17 21:46 PDT, Fujii Hironori
no flags Details | Formatted Diff | Diff
Patch (2.03 KB, patch)
2020-03-18 01:13 PDT, Fujii Hironori
no flags Details | Formatted Diff | Diff
Patch (2.04 KB, patch)
2020-03-18 01:16 PDT, Fujii Hironori
no flags Details | Formatted Diff | Diff
Patch (2.13 KB, patch)
2020-03-18 13:56 PDT, Fujii Hironori
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Fujii Hironori 2020-03-17 21:35:34 PDT
WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers

This is a sub-task of Bug 209131.
Bug 209131 – Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)
Comment 1 Fujii Hironori 2020-03-17 21:46:48 PDT
Created attachment 393822 [details]
Patch
Comment 2 Fujii Hironori 2020-03-18 01:13:42 PDT
Created attachment 393827 [details]
Patch
Comment 3 Fujii Hironori 2020-03-18 01:16:32 PDT
Created attachment 393828 [details]
Patch
Comment 4 Darin Adler 2020-03-18 11:22:37 PDT
Comment on attachment 393828 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393828&action=review

> Source/WebKit/Shared/WebCoreArgumentCoders.cpp:158
> +    if (!decoder.bufferIsLargeEnoughToContain<unsigned char>(bufferSize))
> +        return false;

This *needs* to be inside the #if USE(UNIX_DOMAIN_SOCKETS) and should be uint8_t, not unsigned char.

> Source/WebKit/Shared/WebCoreArgumentCoders.cpp:199
> +    data.resize(0);

This is not needed. We can and should rely on being passed an empty vector.

> Source/WebKit/Shared/WebCoreArgumentCoders.cpp:202
>          decodeSharedBuffer(decoder, buffer);

Strange and incorrect that this does not check the return result. Should say:

    if (!decodeSharedBuffer(decoder, buffer))
        return false;
Comment 5 Fujii Hironori 2020-03-18 13:54:06 PDT
Thank you for the review. Will fix.
Comment 6 Fujii Hironori 2020-03-18 13:56:29 PDT
Created attachment 393901 [details]
Patch
Comment 7 Fujii Hironori 2020-03-18 20:00:17 PDT
Comment on attachment 393901 [details]
Patch

Clearing flags on attachment: 393901

Committed r258675: <https://trac.webkit.org/changeset/258675>
Comment 8 Fujii Hironori 2020-03-18 20:00:21 PDT
All reviewed patches have been landed.  Closing bug.
Comment 9 Radar WebKit Bug Importer 2020-03-18 20:01:13 PDT
<rdar://problem/60615337>