[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

andersca at apple.com andersca at apple.com
Wed Dec 22 11:47:40 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit f2932dc61f1c68bd00b879d5cc299a59d01b993a
Author: andersca at apple.com <andersca at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Aug 6 22:39:28 2010 +0000

    Don't try to allocate a vector unless we know the buffer can contain it
    https://bugs.webkit.org/show_bug.cgi?id=43647
    
    Reviewed by Sam Weinig.
    
    * Platform/CoreIPC/ArgumentCoders.h:
    (CoreIPC::):
    Check that the argument decoder buffer actually can hold all the vector elements.
    
    * Platform/CoreIPC/ArgumentDecoder.cpp:
    (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
    Align the current position to the given alignment, add the size and check if the position is
    past the end of the buffer.
    
    * Platform/CoreIPC/ArgumentDecoder.h:
    (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
    Get the size and alignment and call the other bufferIsLargeEnoughtToContain overload.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64875 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebKit2/ChangeLog b/WebKit2/ChangeLog
index 0b88a57..85f2fd0 100644
--- a/WebKit2/ChangeLog
+++ b/WebKit2/ChangeLog
@@ -1,5 +1,25 @@
 2010-08-06  Anders Carlsson  <andersca at apple.com>
 
+        Reviewed by Sam Weinig.
+
+        Don't try to allocate a vector unless we know the buffer can contain it
+        https://bugs.webkit.org/show_bug.cgi?id=43647
+
+        * Platform/CoreIPC/ArgumentCoders.h:
+        (CoreIPC::):
+        Check that the argument decoder buffer actually can hold all the vector elements.
+
+        * Platform/CoreIPC/ArgumentDecoder.cpp:
+        (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
+        Align the current position to the given alignment, add the size and check if the position is
+        past the end of the buffer.
+
+        * Platform/CoreIPC/ArgumentDecoder.h:
+        (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughtToContain):
+        Get the size and alignment and call the other bufferIsLargeEnoughtToContain overload.
+
+2010-08-06  Anders Carlsson  <andersca at apple.com>
+
         Reviewed by Adam Roben.
 
         Detect invalid CoreIPC messages and call didReceiveInvalidMessage
diff --git a/WebKit2/Platform/CoreIPC/ArgumentCoders.h b/WebKit2/Platform/CoreIPC/ArgumentCoders.h
index 4ecda87..c1fb86a 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentCoders.h
+++ b/WebKit2/Platform/CoreIPC/ArgumentCoders.h
@@ -59,6 +59,12 @@ template<typename T> struct ArgumentCoder<Vector<T> > {
         if (!decoder->decodeUInt64(size))
             return false;
 
+        // Before allocating the cector, make sure that the decoder buffer is big enough.
+        if (!decoder->bufferIsLargeEnoughtToContain<T>(size)) {
+            decoder->markInvalid();
+            return false;
+        }
+
         Vector<T> tmp;
         tmp.reserveCapacity(size);
 
diff --git a/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp b/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
index 991da0b..acd0111 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
+++ b/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
@@ -77,6 +77,11 @@ bool ArgumentDecoder::alignBufferPosition(unsigned alignment, size_t size)
     return true;
 }
 
+bool ArgumentDecoder::bufferIsLargeEnoughtToContain(unsigned alignment, size_t size) const
+{
+    return roundUpToAlignment(m_bufferPos, alignment) + size <= m_bufferEnd;
+}
+
 bool ArgumentDecoder::decodeBytes(Vector<uint8_t>& buffer)
 {
     uint64_t size;
diff --git a/WebKit2/Platform/CoreIPC/ArgumentDecoder.h b/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
index f7e409a..b58f811 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
+++ b/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
@@ -55,6 +55,12 @@ public:
     bool decodeFloat(float&);
     bool decodeDouble(double&);
 
+    template<typename T>
+    bool bufferIsLargeEnoughtToContain(size_t numElements) const
+    {
+        return bufferIsLargeEnoughtToContain(__alignof(T), numElements * sizeof(T));
+    }
+
     // Generic type decode function.
     template<typename T> bool decode(T& t)
     {
@@ -79,6 +85,7 @@ private:
     void initialize(const uint8_t* buffer, size_t bufferSize);
 
     bool alignBufferPosition(unsigned alignment, size_t size);
+    bool bufferIsLargeEnoughtToContain(unsigned alignment, size_t size) const;
 
     uint64_t m_destinationID;
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list