WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers This is a sub-task of Bug 209131. Bug 209131 – Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)
Created attachment 393822 [details] Patch
Created attachment 393827 [details] Patch
Created attachment 393828 [details] Patch
Comment on attachment 393828 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393828&action=review > Source/WebKit/Shared/WebCoreArgumentCoders.cpp:158 > + if (!decoder.bufferIsLargeEnoughToContain<unsigned char>(bufferSize)) > + return false; This *needs* to be inside the #if USE(UNIX_DOMAIN_SOCKETS) and should be uint8_t, not unsigned char. > Source/WebKit/Shared/WebCoreArgumentCoders.cpp:199 > + data.resize(0); This is not needed. We can and should rely on being passed an empty vector. > Source/WebKit/Shared/WebCoreArgumentCoders.cpp:202 > decodeSharedBuffer(decoder, buffer); Strange and incorrect that this does not check the return result. Should say: if (!decodeSharedBuffer(decoder, buffer)) return false;
Thank you for the review. Will fix.
Created attachment 393901 [details] Patch
Comment on attachment 393901 [details] Patch Clearing flags on attachment: 393901 Committed r258675: <https://trac.webkit.org/changeset/258675>
All reviewed patches have been landed. Closing bug.
<rdar://problem/60615337>