Bug 241813 - std::variant decoding with out-of-bounds index should fail instead of decoding the 0'th type
Summary: std::variant decoding with out-of-bounds index should fail instead of decodin...
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alex Christensen
Keywords: InRadar
Depends on:
Reported: 2022-06-21 11:50 PDT by Alex Christensen
Modified: 2022-06-28 00:41 PDT (History)
3 users (show)

See Also:

Patch (1.16 KB, patch)
2022-06-21 11:51 PDT, Alex Christensen
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Christensen 2022-06-21 11:50:24 PDT
Doesn't really decrease any powers of a compromised process, but IPC bounds checks are generally a good idea.  This prevents a debug assertion in fuzzers.
Comment 1 Alex Christensen 2022-06-21 11:51:35 PDT
Created attachment 460377 [details]
Comment 2 Alex Christensen 2022-06-21 11:58:38 PDT
See rdar://82979527
Comment 3 Chris Dumez 2022-06-21 12:46:24 PDT
Comment on attachment 460377 [details]

Comment 4 EWS 2022-06-21 20:23:03 PDT
Committed r295719 (251724@main): <https://commits.webkit.org/251724@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 460377 [details].
Comment 5 Radar WebKit Bug Importer 2022-06-21 20:24:13 PDT
Comment 6 Kimmo Kinnunen 2022-06-28 00:41:30 PDT
FWIW, the added `if` is actually dead code since bug 241547, as there are no callers with `i != index`. It's just an artefact of how the recursion for variadic templates is written. E.g. there's no fuzzer in the world that would've hit that assertion.