Title: [274027] trunk/Source/WebKit
- Revision
- 274027
- Author
- cdu...@apple.com
- Date
- 2021-03-05 18:56:21 -0800 (Fri, 05 Mar 2021)
Log Message
[IPC Hardening] Protect against bad navigationID in WebPageProxy::didDestroyNavigation()
https://bugs.webkit.org/show_bug.cgi?id=222842
<rdar://problem/75119560>
Reviewed by Darin Adler.
* UIProcess/WebNavigationState.h:
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didDestroyNavigation):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (274026 => 274027)
--- trunk/Source/WebKit/ChangeLog 2021-03-06 02:55:17 UTC (rev 274026)
+++ trunk/Source/WebKit/ChangeLog 2021-03-06 02:56:21 UTC (rev 274027)
@@ -1,5 +1,17 @@
2021-03-05 Chris Dumez <cdu...@apple.com>
+ [IPC Hardening] Protect against bad navigationID in WebPageProxy::didDestroyNavigation()
+ https://bugs.webkit.org/show_bug.cgi?id=222842
+ <rdar://problem/75119560>
+
+ Reviewed by Darin Adler.
+
+ * UIProcess/WebNavigationState.h:
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::didDestroyNavigation):
+
+2021-03-05 Chris Dumez <cdu...@apple.com>
+
Potential crash under NotificationPermissionRequestManagerProxy::invalidateRequests()
https://bugs.webkit.org/show_bug.cgi?id=222841
Modified: trunk/Source/WebKit/UIProcess/WebNavigationState.h (274026 => 274027)
--- trunk/Source/WebKit/UIProcess/WebNavigationState.h 2021-03-06 02:55:17 UTC (rev 274026)
+++ trunk/Source/WebKit/UIProcess/WebNavigationState.h 2021-03-06 02:56:21 UTC (rev 274027)
@@ -67,8 +67,10 @@
return ++m_navigationID;
}
+ using NavigationMap = HashMap<uint64_t, RefPtr<API::Navigation>>;
+
private:
- HashMap<uint64_t, RefPtr<API::Navigation>> m_navigations;
+ NavigationMap m_navigations;
uint64_t m_navigationID { 0 };
};
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (274026 => 274027)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2021-03-06 02:55:17 UTC (rev 274026)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2021-03-06 02:56:21 UTC (rev 274027)
@@ -4375,6 +4375,8 @@
void WebPageProxy::didDestroyNavigation(uint64_t navigationID)
{
+ MESSAGE_CHECK(m_process, WebNavigationState::NavigationMap::isValidKey(navigationID));
+
PageClientProtector protector(pageClient());
// On process-swap, the previous process tries to destroy the navigation but the provisional process is actually taking over the navigation.
@@ -4381,7 +4383,6 @@
if (m_provisionalPage && m_provisionalPage->navigationID() == navigationID)
return;
- // FIXME: Message check the navigationID.
m_navigationState->didDestroyNavigation(navigationID);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes