53617 – uint64_t to size_t conversion can lead to unexpected behavior in CoreIPC

NEW 53617

uint64_t to size_t conversion can lead to unexpected behavior in CoreIPC

https://bugs.webkit.org/show_bug.cgi?id=53617

Summary uint64_t to size_t conversion can lead to unexpected behavior in CoreIPC

Adam Roben (:aroben)

Reported 2011-02-02 12:17:20 PST

If a function like ArgumentDecoder::decodeBytes [1] decodes a size greater than std::numeric_limits<size_t>::max(), we'll end up calling buffer.resize(0) and then trying to memcpy 0 bytes into the null buffer. This is very strange behavior, and probably unexpected. It would likely be better to detect the overflow and just bail out. 1. http://trac.webkit.org/browser/trunk/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp?rev=77378#L95

Attachments
Add attachment proposed patch, testcase, etc.

Adam Roben (:aroben)

Comment 1 2011-02-02 12:17:44 PST

See bug 53615, and especially bug 53615 comment 4.

Adam Roben (:aroben)

Comment 2 2011-02-02 12:25:12 PST

<rdar://problem/8949884>

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component WebKit2

Assignee

Nobody

Reported

2011-02-02 12:17 PST

Modified

2011-02-02 12:25 PST History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks