Bug 233148 - Do some hardening in IPC::createMessageDecoder()
Summary: Do some hardening in IPC::createMessageDecoder()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-11-15 14:37 PST by Chris Dumez
Modified: 2021-11-16 08:51 PST (History)
6 users (show)

See Also:

Attachments
Patch (5.84 KB, patch)
2021-11-15 14:51 PST, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (5.84 KB, patch)
2021-11-16 07:16 PST, Chris Dumez 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2021-11-15 14:37:22 PST 
Do some hardening in IPC::createMessageDecoder().
Comment 1 Chris Dumez 2021-11-15 14:37:52 PST 
<rdar://75139294>
Comment 2 Chris Dumez 2021-11-15 14:51:50 PST 
Created attachment 444307 [details]
Patch
Comment 3 Darin Adler 2021-11-15 17:37:44 PST 
Comment on attachment 444307 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=444307&action=review

> Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm:438
> +    auto sizeWithPortDescriptors = CheckedSize { sizeof(mach_msg_header_t) } + sizeof(mach_msg_body_t) + numberOfPortDescriptors * sizeof(mach_msg_port_descriptor_t);

Could add the first two sizes inside CheckedSize.

Is the numberOfPortDescriptors multiplication safe without CheckedSize? Currently it’s converted to CheckedSize only after multiplying.

> Source/WebKit/Platform/IPC/cocoa/ConnectionCocoa.mm:483
> +    auto messageBodySize = CheckedSize { header->msgh_size } - sizeWithPortDescriptors;

Not important to have the CheckedSize cast here.
Comment 4 Chris Dumez 2021-11-16 07:16:44 PST 
Created attachment 444375 [details]
Patch
Comment 5 EWS 2021-11-16 08:51:38 PST 
Committed r285865 (244291@main): <https://commits.webkit.org/244291@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 444375 [details].