RESOLVED FIXED 224984
Remove decoder memory allocations based on untrusted data (sizes) in the stream; related changes 
https://bugs.webkit.org/show_bug.cgi?id=224984
Summary Remove decoder memory allocations based on untrusted data (sizes) in the stre...
Darin Adler
Reported 2021-04-23 10:05:40 PDT
Remove decoder memory allocations based on untrusted data (sizes) in the stream; related changes
Attachments
Patch (18.08 KB, patch)
2021-04-23 10:38 PDT, Darin Adler 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2021-04-23 10:38:05 PDT
Created attachment 426923 [details] Patch
Darin Adler
Comment 2 2021-04-23 10:46:12 PDT
*** Bug 209270 has been marked as a duplicate of this bug. ***
Sam Weinig
Comment 3 2021-04-23 10:58:25 PDT
Comment on attachment 426923 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426923&action=review > Source/WebKit/Platform/IPC/ArgumentCoders.h:-517 > HashMapType hashMap; > - hashMap.reserveInitialCapacity(hashMapSize); Should we consider doing the trick we do for Vector here where if the key and value are both fixed size we can check that the buffer is big enough to contain size * (sizeof(key type) + sizeof(value type)) and then reserve? I don't have a good feeling about what type of HashMaps/HashSets we use so I am not sure if that is a useful optimization.
Darin Adler
Comment 4 2021-04-23 11:01:09 PDT
Comment on attachment 426923 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=426923&action=review >> Source/WebKit/Platform/IPC/ArgumentCoders.h:-517 >> - hashMap.reserveInitialCapacity(hashMapSize); > > Should we consider doing the trick we do for Vector here where if the key and value are both fixed size we can check that the buffer is big enough to contain size * (sizeof(key type) + sizeof(value type)) and then reserve? I don't have a good feeling about what type of HashMaps/HashSets we use so I am not sure if that is a useful optimization. Not sure what you suggest can be done, but I’m sure we can do some kind of reality check about the remaining size of the decoding stream and reserve if it passes that check. But I don’t see this in VectorArgumentCoder. Where is the code for that trick you are referring to?
Darin Adler
Comment 5 2021-04-23 11:01:33 PDT
Oh, I see now. That first bool in the template!
Darin Adler
Comment 6 2021-04-23 11:01:56 PDT
(In reply to Darin Adler from comment #5) > Oh, I see now. That first bool in the template! That’s a surprisingly narrow optimization.
Darin Adler
Comment 7 2021-04-23 11:09:04 PDT
(In reply to Darin Adler from comment #6) > (In reply to Darin Adler from comment #5) > > Oh, I see now. That first bool in the template! > > That’s a surprisingly narrow optimization. It’s a more specific optimization for a smaller set of types. It’s "treat this as a single buffer and read it all at once using decodeFixedLengthData" when it’s a simple scalar. It does seem like there are conditions where we can sufficiently vet the size and use it to preallocate space in the hash table. Using the relationship between the size of the remaining data and the size that we pre-allocate. But, like you, Sam, I don’t know how important and valuable this optimization is. It saves memory (very important) on hash tables that we send across IPC (wait, what?, why?).
Darin Adler
Comment 8 2021-04-23 12:06:34 PDT
Committed r276510 (236967@main): <https://commits.webkit.org/236967@main>
Radar WebKit Bug Importer
Comment 9 2021-04-24 15:02:29 PDT
<rdar://problem/77110020>
Note You need to log in before you can comment on or make changes to this bug.