Bug 224214 - IPC::decodeObject null dereference in decodeArrayInternal()
Summary: IPC::decodeObject null dereference in decodeArrayInternal()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-04-05 16:21 PDT by Ian Gilbert
Modified: 2021-04-06 03:01 PDT (History)
8 users (show)

See Also:

Attachments
Patch (3.48 KB, patch)
2021-04-05 16:56 PDT, Ian Gilbert 		no flags Details | Formatted Diff | Diff
Patch (3.51 KB, patch)
2021-04-05 21:17 PDT, Ian Gilbert 		no flags Details | Formatted Diff | Diff
Patch (3.52 KB, patch)
2021-04-06 00:03 PDT, Ian Gilbert 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Gilbert 2021-04-05 16:21:53 PDT 
decodeObject can return { nullptr }, which is a valid object but doesn't have a value. decodeArrayInternal checks that an object is returned but not that a value can be resolved.
Comment 1 Ian Gilbert 2021-04-05 16:22:19 PDT 
<rdar://problem/74599877>
Comment 2 Ian Gilbert 2021-04-05 16:32:50 PDT 
Filed this as security but I'm pretty sure it isn't.
Comment 3 Ian Gilbert 2021-04-05 16:56:17 PDT 
Created attachment 425223 [details]
Patch
Comment 4 Ryosuke Niwa 2021-04-05 17:36:25 PDT 
Comment on attachment 425223 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425223&action=review

> LayoutTests/ipc/decode-object-array-crash.html:13
> +</script>

Can we spit out PASS here like this?
document.write('PASS')
so that we can be sure that the code ran 'til completion instead of exiting early due to syntax error, etc...
Comment 5 Ian Gilbert 2021-04-05 21:17:20 PDT 
Created attachment 425238 [details]
Patch
Comment 6 Ryosuke Niwa 2021-04-05 23:40:12 PDT 
Comment on attachment 425238 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425238&action=review

> LayoutTests/ipc/decode-object-array-crash.html:13
> +    document.write('PASS')

oh, put this after if!
Comment 7 Ryosuke Niwa 2021-04-05 23:40:34 PDT 
Comment on attachment 425238 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425238&action=review

> LayoutTests/ipc/decode-object-array-crash.html:4
> +Test passes if it does not crash.

Also, please wrap this in <p>~</p>
Comment 8 Ian Gilbert 2021-04-06 00:03:02 PDT 
Created attachment 425248 [details]
Patch
Comment 9 EWS 2021-04-06 01:18:55 PDT 
commit-queue failed to commit attachment 425248 [details] to WebKit repository. To retry, please set cq+ flag again.
Comment 10 Ryosuke Niwa 2021-04-06 03:01:33 PDT 
Comment on attachment 425248 [details]
Patch

Clearing flags on attachment: 425248

Committed r275501 (236158@main): <https://commits.webkit.org/236158@main>
Comment 11 Ryosuke Niwa 2021-04-06 03:01:35 PDT 
All reviewed patches have been landed.  Closing bug.