[webkit-changes] [274027] trunk/Source/WebKit

[cdumez]

Title: [274027] trunk/Source/WebKit

Revision

274027

Author

cdu...@apple.com

Date

2021-03-05 18:56:21 -0800 (Fri, 05 Mar 2021)

Log Message

[IPC Hardening] Protect against bad navigationID in WebPageProxy::didDestroyNavigation()
https://bugs.webkit.org/show_bug.cgi?id=222842
<rdar://problem/75119560>

Reviewed by Darin Adler.

* UIProcess/WebNavigationState.h:
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didDestroyNavigation):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/WebNavigationState.h
• trunk/Source/WebKit/UIProcess/WebPageProxy.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (274026 => 274027)

--- trunk/Source/WebKit/ChangeLog	2021-03-06 02:55:17 UTC (rev 274026)
+++ trunk/Source/WebKit/ChangeLog	2021-03-06 02:56:21 UTC (rev 274027)
@@ -1,5 +1,17 @@
 2021-03-05  Chris Dumez  <cdu...@apple.com>
 
+        [IPC Hardening] Protect against bad navigationID in WebPageProxy::didDestroyNavigation()
+        https://bugs.webkit.org/show_bug.cgi?id=222842
+        <rdar://problem/75119560>
+
+        Reviewed by Darin Adler.
+
+        * UIProcess/WebNavigationState.h:
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::didDestroyNavigation):
+
+2021-03-05  Chris Dumez  <cdu...@apple.com>
+
         Potential crash under NotificationPermissionRequestManagerProxy::invalidateRequests()
         https://bugs.webkit.org/show_bug.cgi?id=222841
 

Modified: trunk/Source/WebKit/UIProcess/WebNavigationState.h (274026 => 274027)

--- trunk/Source/WebKit/UIProcess/WebNavigationState.h	2021-03-06 02:55:17 UTC (rev 274026)
+++ trunk/Source/WebKit/UIProcess/WebNavigationState.h	2021-03-06 02:56:21 UTC (rev 274027)
@@ -67,8 +67,10 @@
         return ++m_navigationID;
     }
 
+    using NavigationMap = HashMap<uint64_t, RefPtr<API::Navigation>>;
+
 private:
-    HashMap<uint64_t, RefPtr<API::Navigation>> m_navigations;
+    NavigationMap m_navigations;
     uint64_t m_navigationID { 0 };
 };
 

Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (274026 => 274027)

--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2021-03-06 02:55:17 UTC (rev 274026)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2021-03-06 02:56:21 UTC (rev 274027)
@@ -4375,6 +4375,8 @@
 
 void WebPageProxy::didDestroyNavigation(uint64_t navigationID)
 {
+    MESSAGE_CHECK(m_process, WebNavigationState::NavigationMap::isValidKey(navigationID));
+
     PageClientProtector protector(pageClient());
 
     // On process-swap, the previous process tries to destroy the navigation but the provisional process is actually taking over the navigation.
@@ -4381,7 +4383,6 @@
     if (m_provisionalPage && m_provisionalPage->navigationID() == navigationID)
         return;
 
-    // FIXME: Message check the navigationID.
     m_navigationState->didDestroyNavigation(navigationID);
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes