Bug 209219 - WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers
Summary: WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before alloca...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Fujii Hironori
URL:
Keywords: InRadar
Depends on:
Blocks: 209131
  Show dependency treegraph
 
Reported: 2020-03-17 21:35 PDT by Fujii Hironori
Modified: 2020-03-18 20:01 PDT (History)
2 users (show)

See Also:

Attachments
Patch (2.00 KB, patch)
2020-03-17 21:46 PDT, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Patch (2.03 KB, patch)
2020-03-18 01:13 PDT, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Patch (2.04 KB, patch)
2020-03-18 01:16 PDT, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Patch (2.13 KB, patch)
2020-03-18 13:56 PDT, Fujii Hironori 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fujii Hironori 2020-03-17 21:35:34 PDT 
WebCoreArgumentCoders should check bufferIsLargeEnoughToContain before allocating buffers

This is a sub-task of Bug 209131.
Bug 209131 – Don't allocate a buffer with the decoded size without ensuring bufferIsLargeEnoughToContain(size)
Comment 1 Fujii Hironori 2020-03-17 21:46:48 PDT 
Created attachment 393822 [details]
Patch
Comment 2 Fujii Hironori 2020-03-18 01:13:42 PDT 
Created attachment 393827 [details]
Patch
Comment 3 Fujii Hironori 2020-03-18 01:16:32 PDT 
Created attachment 393828 [details]
Patch
Comment 4 Darin Adler 2020-03-18 11:22:37 PDT 
Comment on attachment 393828 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393828&action=review

> Source/WebKit/Shared/WebCoreArgumentCoders.cpp:158
> +    if (!decoder.bufferIsLargeEnoughToContain<unsigned char>(bufferSize))
> +        return false;

This *needs* to be inside the #if USE(UNIX_DOMAIN_SOCKETS) and should be uint8_t, not unsigned char.

> Source/WebKit/Shared/WebCoreArgumentCoders.cpp:199
> +    data.resize(0);

This is not needed. We can and should rely on being passed an empty vector.

> Source/WebKit/Shared/WebCoreArgumentCoders.cpp:202
>          decodeSharedBuffer(decoder, buffer);

Strange and incorrect that this does not check the return result. Should say:

    if (!decodeSharedBuffer(decoder, buffer))
        return false;
Comment 5 Fujii Hironori 2020-03-18 13:54:06 PDT 
Thank you for the review. Will fix.
Comment 6 Fujii Hironori 2020-03-18 13:56:29 PDT 
Created attachment 393901 [details]
Patch
Comment 7 Fujii Hironori 2020-03-18 20:00:17 PDT 
Comment on attachment 393901 [details]
Patch

Clearing flags on attachment: 393901

Committed r258675: <https://trac.webkit.org/changeset/258675>
Comment 8 Fujii Hironori 2020-03-18 20:00:21 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 9 Radar WebKit Bug Importer 2020-03-18 20:01:13 PDT 
<rdar://problem/60615337>