[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

andersca at apple.com andersca at apple.com
Wed Dec 22 13:13:00 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 75f2728d75ee08bb9e6a264c12a24ee31a8718e6
Author: andersca at apple.com <andersca at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Sep 8 23:26:03 2010 +0000

    Improve CoreIPC encoding of strings
    https://bugs.webkit.org/show_bug.cgi?id=45418
    
    Reviewed by Darin Adler.
    
    Encode and decode null Strings. Check that the string length isn't bogus.
    
    * Platform/CoreIPC/ArgumentCoders.h:
    * Platform/CoreIPC/ArgumentDecoder.cpp:
    (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughToContain):
    * Platform/CoreIPC/ArgumentDecoder.h:
    (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughToContain):
    * Shared/WebCoreArgumentCoders.h:
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@67034 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebKit2/ChangeLog b/WebKit2/ChangeLog
index 23d3eed..41831a0 100644
--- a/WebKit2/ChangeLog
+++ b/WebKit2/ChangeLog
@@ -1,3 +1,19 @@
+2010-09-08  Anders Carlsson  <andersca at apple.com>
+
+        Reviewed by Darin Adler.
+
+        Improve CoreIPC encoding of strings
+        https://bugs.webkit.org/show_bug.cgi?id=45418
+
+        Encode and decode null Strings. Check that the string length isn't bogus.
+
+        * Platform/CoreIPC/ArgumentCoders.h:
+        * Platform/CoreIPC/ArgumentDecoder.cpp:
+        (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughToContain):
+        * Platform/CoreIPC/ArgumentDecoder.h:
+        (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughToContain):
+        * Shared/WebCoreArgumentCoders.h:
+
 2010-09-08  Adam Roben  <aroben at apple.com>
 
         Add a way to cause the web process to crash at a random time
diff --git a/WebKit2/Platform/CoreIPC/ArgumentCoders.h b/WebKit2/Platform/CoreIPC/ArgumentCoders.h
index 78077bb..2668439 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentCoders.h
+++ b/WebKit2/Platform/CoreIPC/ArgumentCoders.h
@@ -83,7 +83,7 @@ template<typename T> struct ArgumentCoder<Vector<T> > {
             return false;
 
         // Before allocating the vector, make sure that the decoder buffer is big enough.
-        if (!decoder->bufferIsLargeEnoughtToContain<T>(size)) {
+        if (!decoder->bufferIsLargeEnoughToContain<T>(size)) {
             decoder->markInvalid();
             return false;
         }
diff --git a/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp b/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
index acd0111..f8bf34b 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
+++ b/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
@@ -77,7 +77,7 @@ bool ArgumentDecoder::alignBufferPosition(unsigned alignment, size_t size)
     return true;
 }
 
-bool ArgumentDecoder::bufferIsLargeEnoughtToContain(unsigned alignment, size_t size) const
+bool ArgumentDecoder::bufferIsLargeEnoughToContain(unsigned alignment, size_t size) const
 {
     return roundUpToAlignment(m_bufferPos, alignment) + size <= m_bufferEnd;
 }
diff --git a/WebKit2/Platform/CoreIPC/ArgumentDecoder.h b/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
index 231ca16..e6b8498 100644
--- a/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
+++ b/WebKit2/Platform/CoreIPC/ArgumentDecoder.h
@@ -56,9 +56,9 @@ public:
     bool decodeDouble(double&);
 
     template<typename T>
-    bool bufferIsLargeEnoughtToContain(size_t numElements) const
+    bool bufferIsLargeEnoughToContain(size_t numElements) const
     {
-        return bufferIsLargeEnoughtToContain(__alignof(T), numElements * sizeof(T));
+        return bufferIsLargeEnoughToContain(__alignof(T), numElements * sizeof(T));
     }
 
     // Generic type decode function.
@@ -85,7 +85,7 @@ private:
     void initialize(const uint8_t* buffer, size_t bufferSize);
 
     bool alignBufferPosition(unsigned alignment, size_t size);
-    bool bufferIsLargeEnoughtToContain(unsigned alignment, size_t size) const;
+    bool bufferIsLargeEnoughToContain(unsigned alignment, size_t size) const;
 
     uint64_t m_destinationID;
 
diff --git a/WebKit2/Shared/WebCoreArgumentCoders.h b/WebKit2/Shared/WebCoreArgumentCoders.h
index d96a4a2..33c2127 100644
--- a/WebKit2/Shared/WebCoreArgumentCoders.h
+++ b/WebKit2/Shared/WebCoreArgumentCoders.h
@@ -35,8 +35,11 @@
 #include <WebCore/IntRect.h>
 #include <WebCore/PluginData.h>
 #include <WebCore/ResourceRequest.h>
+#include <limits>
 #include <wtf/text/WTFString.h>
 
+using namespace std;
+
 namespace CoreIPC {
 
 template<> struct ArgumentCoder<WebCore::IntPoint> : SimpleArgumentCoder<WebCore::IntPoint> { };
@@ -46,6 +49,12 @@ template<> struct ArgumentCoder<WebCore::IntRect> : SimpleArgumentCoder<WebCore:
 template<> struct ArgumentCoder<WTF::String> {
     static void encode(ArgumentEncoder* encoder, const WTF::String& string)
     {
+        // Special case the null string.
+        if (string.isNull()) {
+            encoder->encodeUInt32(numeric_limits<uint32_t>::max());
+            return;
+        }
+
         uint32_t length = string.length();
         encoder->encode(length);
         encoder->encodeBytes(reinterpret_cast<const uint8_t*>(string.characters()), length * sizeof(UChar));
@@ -56,6 +65,18 @@ template<> struct ArgumentCoder<WTF::String> {
         uint32_t length;
         if (!decoder->decode(length))
             return false;
+
+        if (length == numeric_limits<uint32_t>::max()) {
+            // This is the null string.
+            s = String();
+            return true;
+        }
+
+        // Before allocating the string, make sure that the decoder buffer is big enough.
+        if (!decoder->bufferIsLargeEnoughToContain<UChar>(length)) {
+            decoder->markInvalid();
+            return false;
+        }
         
         UChar* buffer;
         WTF::String string = WTF::String::createUninitialized(length, buffer);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list