Bug 241547 - Ignore badly encoded std::variant IPC messages.
Summary: Ignore badly encoded std::variant IPC messages.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Jean-Yves Avenard [:jya]
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-06-13 06:21 PDT by Jean-Yves Avenard [:jya]
Modified: 2022-06-14 16:55 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-Yves Avenard [:jya] 2022-06-13 06:21:45 PDT 
Seen in 241407 with the ipc/pasteboard-write-custom-data.html test

It sends a rubbish buffer over IPC and ensure that the decoder doesn't crash.

When using the std::variant<> decoder, the decoder performs a recursive call in order to decode the property type like so:

std::variant<T1,T2,T3> obj;

decode<std::variant<T1,T2,T3...>>()
    read std::variant's index into i.
    VariantCoder<2, Types...>::decode(decoder, *i);
        VariantCoder<1, Types...>::decode(decoder, *i);
            VariantCoder<0, Types...>::decode(decoder, *i);

If the encoded value of i is nonsensical, we will get into calling VariantCoder<0, Types...>::decode(decoder, *i);

We should exit early when we read the value of I if it's greater than the number of types en variant can contain.
Comment 1 Radar WebKit Bug Importer 2022-06-13 06:21:59 PDT 
<rdar://problem/95016858>
Comment 2 Jean-Yves Avenard [:jya] 2022-06-13 07:14:11 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/1472
Comment 3 EWS 2022-06-14 16:55:25 PDT 
Committed r295545 (251550@main): <https://commits.webkit.org/251550@main>

Reviewed commits have been landed. Closing PR #1472 and removing active labels.