210621 – -[WebPreferences initWithCoder:] should use -[NSCoder decodeValueOfObjCType:at:size:]

Bug 210621 - -[WebPreferences initWithCoder:] should use -[NSCoder decodeValueOfObjCType:at:size:]

Summary: -[WebPreferences initWithCoder:] should use -[NSCoder decodeValueOfObjCType:a...

Status:	RESOLVED FIXED

Alias:	None

Product:	Security
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	David Kilzer (:ddkilzer)

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-04-16 15:14 PDT by David Kilzer (:ddkilzer)
Modified:	2021-08-15 08:38 PDT (History)
CC List:	6 users (show)

See Also:	229121

Attachments
Patch v1 (1.61 KB, patch) 2020-04-16 15:19 PDT, David Kilzer (:ddkilzer)	no flags	Details \| Formatted Diff \| Diff
Patch v1 (1.61 KB, patch) 2020-04-16 15:20 PDT, David Kilzer (:ddkilzer)	no flags	Details \| Formatted Diff \| Diff
Patch v1 third time (1.61 KB, patch) 2020-04-16 16:45 PDT, David Kilzer (:ddkilzer)	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kilzer (:ddkilzer) 2020-04-16 15:14:33 PDT

-[WebPreferences initWithCoder:] should use -[NSCoder decodeValueOfObjCType:at:size:].

Found by clang static analyzer:

Deprecated method '-decodeValueOfObjCType:at:' is insecure as it can lead to potential buffer overflows. Use the safer '-decodeValueOfObjCType:at:size:' method

Comment 1 Radar WebKit Bug Importer 2020-04-16 15:14:45 PDT

<rdar://problem/61906458>

Comment 2 David Kilzer (:ddkilzer) 2020-04-16 15:19:46 PDT

Created attachment 396705 [details]
Patch v1

Comment 3 David Kilzer (:ddkilzer) 2020-04-16 15:20:18 PDT

Created attachment 396706 [details]
Patch v1

Comment 4 David Kilzer (:ddkilzer) 2020-04-16 15:21:37 PDT

(In reply to David Kilzer (:ddkilzer) from comment #3)
> Created attachment 396706 [details]
> Patch v1

Tired.  Uploaded the same patch twice.

Comment 5 David Kilzer (:ddkilzer) 2020-04-16 16:45:56 PDT

Created attachment 396722 [details]
Patch v1 third time

Sigh.  EWS bots won't let me rebuild an obsoleted patch, even if I un-obsolete it.

Comment 6 David Kilzer (:ddkilzer) 2020-04-17 16:55:27 PDT

Patch is ready for review.

Comment 7 EWS 2020-04-18 09:33:08 PDT

Committed r260315: <https://trac.webkit.org/changeset/260315>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 396722 [details].