[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
andersca at apple.com
andersca at apple.com
Wed Dec 22 11:47:40 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit f2932dc61f1c68bd00b879d5cc299a59d01b993a
Author: andersca at apple.com <andersca at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Aug 6 22:39:28 2010 +0000
Don't try to allocate a vector unless we know the buffer can contain it
https://bugs.webkit.org/show_bug.cgi?id=43647
Reviewed by Sam Weinig.
* Platform/CoreIPC/ArgumentCoders.h:
(CoreIPC::):
Check that the argument decoder buffer actually can hold all the vector elements.
* Platform/CoreIPC/ArgumentDecoder.cpp:
(CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
Align the current position to the given alignment, add the size and check if the position is
past the end of the buffer.
* Platform/CoreIPC/ArgumentDecoder.h:
(CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
Get the size and alignment and call the other bufferIsLargeEnoughtToContain overload.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64875 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebKit2/ChangeLog b/WebKit2/ChangeLog
index 0b88a57..85f2fd0 100644
--- a/WebKit2/ChangeLog
+++ b/WebKit2/ChangeLog
@@ -1,5 +1,25 @@
2010-08-06 Anders Carlsson <andersca at apple.com>
+ Reviewed by Sam Weinig.
+
+ Don't try to allocate a vector unless we know the buffer can contain it
+ https://bugs.webkit.org/show_bug.cgi?id=43647
+
+ * Platform/CoreIPC/ArgumentCoders.h:
+ (CoreIPC::):
+ Check that the argument decoder buffer actually can hold all the vector elements.
+
+ * Platform/CoreIPC/ArgumentDecoder.cpp:
+ (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
+ Align the current position to the given alignment, add the size and check if the position is
+ past the end of the buffer.
+
+ * Platform/CoreIPC/ArgumentDecoder.h:
+ (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
+ Get the size and alignment and call the other bufferIsLargeEnoughtToContain overload.
+
+2010-08-06 Anders Carlsson <andersca at apple.com>
+
Reviewed by Adam Roben.
Detect invalid CoreIPC messages and call didReceiveInvalidMessage
diff --git a/WebKit2/Platform/CoreIPC/ArgumentCoders.h b/WebKit2/Platform/CoreIPC/ArgumentCoders.h
index 4ecda87..c1fb86a 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentCoders.h
+++ b/WebKit2/Platform/CoreIPC/ArgumentCoders.h
@@ -59,6 +59,12 @@ template<typename T> struct ArgumentCoder<Vector<T> > {
if (!decoder->decodeUInt64(size))
return false;
+ // Before allocating the cector, make sure that the decoder buffer is big enough.
+ if (!decoder->bufferIsLargeEnoughtToContain<T>(size)) {
+ decoder->markInvalid();
+ return false;
+ }
+
Vector<T> tmp;
tmp.reserveCapacity(size);
diff --git a/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp b/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
index 991da0b..acd0111 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
+++ b/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
@@ -77,6 +77,11 @@ bool ArgumentDecoder::alignBufferPosition(unsigned alignment, size_t size)
return true;
}
+bool ArgumentDecoder::bufferIsLargeEnoughtToContain(unsigned alignment, size_t size) const
+{
+ return roundUpToAlignment(m_bufferPos, alignment) + size <= m_bufferEnd;
+}
+
bool ArgumentDecoder::decodeBytes(Vector<uint8_t>& buffer)
{
uint64_t size;
diff --git a/WebKit2/Platform/CoreIPC/ArgumentDecoder.h b/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
index f7e409a..b58f811 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
+++ b/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
@@ -55,6 +55,12 @@ public:
bool decodeFloat(float&);
bool decodeDouble(double&);
+ template<typename T>
+ bool bufferIsLargeEnoughtToContain(size_t numElements) const
+ {
+ return bufferIsLargeEnoughtToContain(__alignof(T), numElements * sizeof(T));
+ }
+
// Generic type decode function.
template<typename T> bool decode(T& t)
{
@@ -79,6 +85,7 @@ private:
void initialize(const uint8_t* buffer, size_t bufferSize);
bool alignBufferPosition(unsigned alignment, size_t size);
+ bool bufferIsLargeEnoughtToContain(unsigned alignment, size_t size) const;
uint64_t m_destinationID;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list