RESOLVED FIXED 241547
Ignore badly encoded std::variant IPC messages. 
https://bugs.webkit.org/show_bug.cgi?id=241547
Summary Ignore badly encoded std::variant IPC messages.
Jean-Yves Avenard [:jya]
Reported 2022-06-13 06:21:45 PDT
Seen in 241407 with the ipc/pasteboard-write-custom-data.html test It sends a rubbish buffer over IPC and ensure that the decoder doesn't crash. When using the std::variant<> decoder, the decoder performs a recursive call in order to decode the property type like so: std::variant<T1,T2,T3> obj; decode<std::variant<T1,T2,T3...>>() read std::variant's index into i. VariantCoder<2, Types...>::decode(decoder, *i); VariantCoder<1, Types...>::decode(decoder, *i); VariantCoder<0, Types...>::decode(decoder, *i); If the encoded value of i is nonsensical, we will get into calling VariantCoder<0, Types...>::decode(decoder, *i); We should exit early when we read the value of I if it's greater than the number of types en variant can contain.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-06-13 06:21:59 PDT
<rdar://problem/95016858>
Jean-Yves Avenard [:jya]
Comment 2 2022-06-13 07:14:11 PDT
Pull request: https://github.com/WebKit/WebKit/pull/1472
EWS
Comment 3 2022-06-14 16:55:25 PDT
Committed r295545 (251550@main): <https://commits.webkit.org/251550@main> Reviewed commits have been landed. Closing PR #1472 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.