53617 – uint64_t to size_t conversion can lead to unexpected behavior in CoreIPC

Bug 53617 - uint64_t to size_t conversion can lead to unexpected behavior in CoreIPC

Summary: uint64_t to size_t conversion can lead to unexpected behavior in CoreIPC

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2011-02-02 12:17 PST by Adam Roben (:aroben)
Modified:	2011-02-02 12:25 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adam Roben (:aroben) 2011-02-02 12:17:20 PST

If a function like ArgumentDecoder::decodeBytes [1] decodes a size greater than std::numeric_limits<size_t>::max(), we'll end up calling buffer.resize(0) and then trying to memcpy 0 bytes into the null buffer. This is very strange behavior, and probably unexpected.

It would likely be better to detect the overflow and just bail out.

1. http://trac.webkit.org/browser/trunk/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp?rev=77378#L95

Comment 1 Adam Roben (:aroben) 2011-02-02 12:17:44 PST

See bug 53615, and especially bug 53615 comment 4.

Comment 2 Adam Roben (:aroben) 2011-02-02 12:25:12 PST

<rdar://problem/8949884>