[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
darin at apple.com
darin at apple.com
Mon Feb 21 00:37:48 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit b73aa1b3793bf8c93b18685330da48ed5d1418aa
Author: darin at apple.com <darin at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Feb 2 17:59:24 2011 +0000
2011-02-01 Darin Adler <darin at apple.com>
Reviewed by Anders Carlsson.
Overflow in WebKit2 argument decoder buffer checking
https://bugs.webkit.org/show_bug.cgi?id=53536
* Platform/CoreIPC/ArgumentDecoder.cpp:
(CoreIPC::roundUpToAlignment): Tweak code a bit for clarity and to replace
C casts with C++ casts.
(CoreIPC::ArgumentDecoder::alignBufferPosition): Rearrange buffer calculation
so we don't do any math with the passed-in size, because that could overflow.
(CoreIPC::ArgumentDecoder::bufferIsLargeEnoughToContain): Ditto.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77378 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebKit2/ChangeLog b/Source/WebKit2/ChangeLog
index 3c9b1d5..8903856 100644
--- a/Source/WebKit2/ChangeLog
+++ b/Source/WebKit2/ChangeLog
@@ -1,3 +1,17 @@
+2011-02-01 Darin Adler <darin at apple.com>
+
+ Reviewed by Anders Carlsson.
+
+ Overflow in WebKit2 argument decoder buffer checking
+ https://bugs.webkit.org/show_bug.cgi?id=53536
+
+ * Platform/CoreIPC/ArgumentDecoder.cpp:
+ (CoreIPC::roundUpToAlignment): Tweak code a bit for clarity and to replace
+ C casts with C++ casts.
+ (CoreIPC::ArgumentDecoder::alignBufferPosition): Rearrange buffer calculation
+ so we don't do any math with the passed-in size, because that could overflow.
+ (CoreIPC::ArgumentDecoder::bufferIsLargeEnoughToContain): Ditto.
+
2011-02-01 Csaba Osztrogonác <ossy at webkit.org>
Unreviewed.
diff --git a/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp b/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
index 3e6932b..4664806 100644
--- a/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
+++ b/Source/WebKit2/Platform/CoreIPC/ArgumentDecoder.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2010, 2011 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -69,13 +69,15 @@ void ArgumentDecoder::initialize(const uint8_t* buffer, size_t bufferSize)
static inline uint8_t* roundUpToAlignment(uint8_t* ptr, unsigned alignment)
{
- return (uint8_t*)(((uintptr_t)ptr + alignment - 1) & ~(uintptr_t)(alignment - 1));
+ ASSERT(alignment);
+ uintptr_t alignmentMask = alignment - 1;
+ return reinterpret_cast<uint8_t*>((reinterpret_cast<uintptr_t>(ptr) + alignmentMask) & ~alignmentMask);
}
bool ArgumentDecoder::alignBufferPosition(unsigned alignment, size_t size)
{
uint8_t* buffer = roundUpToAlignment(m_bufferPos, alignment);
- if (buffer + size > m_bufferEnd) {
+ if (static_cast<size_t>(m_bufferEnd - buffer) < size) {
// We've walked off the end of this buffer.
markInvalid();
return false;
@@ -87,7 +89,7 @@ bool ArgumentDecoder::alignBufferPosition(unsigned alignment, size_t size)
bool ArgumentDecoder::bufferIsLargeEnoughToContain(unsigned alignment, size_t size) const
{
- return roundUpToAlignment(m_bufferPos, alignment) + size <= m_bufferEnd;
+ return static_cast<size_t>(m_bufferEnd - roundUpToAlignment(m_bufferPos, alignment)) >= size;
}
bool ArgumentDecoder::decodeBytes(Vector<uint8_t>& buffer)
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list