RESOLVED FIXED 241813
std::variant decoding with out-of-bounds index should fail instead of decoding the 0'th type 
https://bugs.webkit.org/show_bug.cgi?id=241813
Summary std::variant decoding with out-of-bounds index should fail instead of decodin...
Alex Christensen
Reported 2022-06-21 11:50:24 PDT
Doesn't really decrease any powers of a compromised process, but IPC bounds checks are generally a good idea. This prevents a debug assertion in fuzzers.
Attachments
Patch (1.16 KB, patch)
2022-06-21 11:51 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2022-06-21 11:51:35 PDT
Created attachment 460377 [details] Patch
Alex Christensen
Comment 2 2022-06-21 11:58:38 PDT
See rdar://82979527
Chris Dumez
Comment 3 2022-06-21 12:46:24 PDT
Comment on attachment 460377 [details] Patch r=me
EWS
Comment 4 2022-06-21 20:23:03 PDT
Committed r295719 (251724@main): <https://commits.webkit.org/251724@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 460377 [details].
Radar WebKit Bug Importer
Comment 5 2022-06-21 20:24:13 PDT
<rdar://problem/95657318>
Kimmo Kinnunen
Comment 6 2022-06-28 00:41:30 PDT
FWIW, the added `if` is actually dead code since bug 241547, as there are no callers with `i != index`. It's just an artefact of how the recursion for variadic templates is written. E.g. there's no fuzzer in the world that would've hit that assertion.
Note You need to log in before you can comment on or make changes to this bug.