Skip to site navigation (Press enter)

[webkit-changes] [277655] trunk/Source/WebKit

cdumez Tue, 18 May 2021 09:07:14 -0700

Title: [277655] trunk/Source/WebKit

Revision: 277655
Author: cdu...@apple.com
Date: 2021-05-18 09:07:04 -0700 (Tue, 18 May 2021)

Log Message

ReadOnlySharedRingBufferStorage::updateFrameBounds() should validate boundsBufferSize
https://bugs.webkit.org/show_bug.cgi?id=225918


Reviewed by Youenn Fablet.

ReadOnlySharedRingBufferStorage::updateFrameBounds() should validate boundsBufferSize since the
process writing the buffer size on the other end may not be trusted.

* Shared/Cocoa/SharedRingBufferStorage.cpp:
(WebKit::ReadOnlySharedRingBufferStorage::updateFrameBounds):

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/Shared/Cocoa/SharedRingBufferStorage.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (277654 => 277655)


--- trunk/Source/WebKit/ChangeLog	2021-05-18 15:55:15 UTC (rev 277654)
+++ trunk/Source/WebKit/ChangeLog	2021-05-18 16:07:04 UTC (rev 277655)
@@ -1,3 +1,16 @@
+2021-05-18  Chris Dumez  <cdu...@apple.com>
+
+        ReadOnlySharedRingBufferStorage::updateFrameBounds() should validate boundsBufferSize
+        https://bugs.webkit.org/show_bug.cgi?id=225918
+
+        Reviewed by Youenn Fablet.
+
+        ReadOnlySharedRingBufferStorage::updateFrameBounds() should validate boundsBufferSize since the
+        process writing the buffer size on the other end may not be trusted.
+
+        * Shared/Cocoa/SharedRingBufferStorage.cpp:
+        (WebKit::ReadOnlySharedRingBufferStorage::updateFrameBounds):
+
 2021-05-18  Youenn Fablet  <you...@apple.com>
 
         Resurrect WKWebView media controls API removed in https://bugs.webkit.org/show_bug.cgi?id=221929

Modified: trunk/Source/WebKit/Shared/Cocoa/SharedRingBufferStorage.cpp (277654 => 277655)


--- trunk/Source/WebKit/Shared/Cocoa/SharedRingBufferStorage.cpp	2021-05-18 15:55:15 UTC (rev 277654)
+++ trunk/Source/WebKit/Shared/Cocoa/SharedRingBufferStorage.cpp	2021-05-18 16:07:04 UTC (rev 277655)
@@ -70,8 +70,12 @@
         m_startFrame = m_endFrame = 0;
         return;
     }
-
-    auto pair = sharedBounds->boundsBuffer[sharedBounds->boundsBufferIndex.load(std::memory_order_acquire)];
+    unsigned boundsBufferIndex = sharedBounds->boundsBufferIndex.load(std::memory_order_acquire);
+    if (UNLIKELY(boundsBufferIndex >= boundsBufferSize)) {
+        m_startFrame = m_endFrame = 0;
+        return;
+    }
+    auto pair = sharedBounds->boundsBuffer[boundsBufferIndex];
     m_startFrame = pair.first;
     m_endFrame = pair.second;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes